PDA

View Full Version : Help removing cmd service/spysheriff



sand man
2006-03-11, 23:12
I am getting a lot of pop-ups and have not been able to get rid of them. Any help would be appreciated. I have run Spybot which found but it said its failed to remove these:

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

I also ran Norton anti-virus but it said it could not find:

C:\winstall. exe (adware.spysheriff)

Logfile of HijackThis v1.99.1
Scan saved at 2:05:47 PM, on 3/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [SiS Mpc Service] C:\WINDOWS\system32\mpcsvc.exe
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - (no file)
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\lv0o09d3e.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

pskelley
2006-03-12, 22:30
Hello and welcome to the forum. Your have a Look2me infection: http://sarc.com/avcenter/venc/data/adware.look2me.html and it needs to be removed first. Please follow the directions carefully for the best chance of success.

Thanks to Atribune and any others who helped with this fix

Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and anew HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

More info:

If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it

start>run sc start schedule press enter.

Post the two logs bolded above, we have more to do.

Thanks...pskelley
Safer Networking Forums

sand man
2006-03-15, 06:46
Ran look2me destroyer without a problem or so I think

I got a message that the test was too long when I tried to put both logs in this note. So here is the look2 me log. I will add the hijack this log in a seperate note

Look2Me-Destroyer V1.0.10

Scanning for infected files.....
Scan started at 3/14/2006 9:32:04 PM

Infected! C:\WINDOWS\system32\f4l00e3meh.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP46\A0012685.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012720.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012726.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012730.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012735.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012757.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012762.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012782.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012788.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012809.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012815.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012821.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012881.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012886.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012906.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012916.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012921.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012924.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012929.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012932.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0013936.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0013941.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0013946.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013969.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013973.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013979.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013984.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013988.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013993.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013997.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP51\A0014029.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP51\A0014034.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP51\A0014038.dll
Infected! C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP51\A0014043.dll
Infected! C:\WINDOWS\system32\e0jmla111d.dll
Infected! C:\WINDOWS\system32\f4l00e3meh.dll
Infected! C:\WINDOWS\system32\gymf32.dll
Infected! C:\WINDOWS\system32\lvpq0975e.dll
Infected! C:\WINDOWS\system32\ofjsel.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\f4l00e3meh.dll
C:\WINDOWS\system32\f4l00e3meh.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP46\A0012685.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP46\A0012685.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012720.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012720.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012726.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012726.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012730.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012730.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012735.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012735.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012757.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012757.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012762.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012762.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012782.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012782.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012788.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012788.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012809.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012809.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012815.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012815.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012821.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP47\A0012821.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012881.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012881.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012886.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012886.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012906.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012906.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012916.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012916.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012921.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012921.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012924.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012924.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012929.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012929.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012932.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0012932.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0013936.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0013936.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0013941.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0013941.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0013946.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP49\A0013946.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013969.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013969.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013973.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013973.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013979.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013979.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013984.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013984.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013988.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013988.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013993.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013993.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013997.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP50\A0013997.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP51\A0014029.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP51\A0014029.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP51\A0014034.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP51\A0014034.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP51\A0014038.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP51\A0014038.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP51\A0014043.dll
C:\System Volume Information\_restore{E3141EEA-1C7E-4027-904E-611A6C12B729}\RP51\A0014043.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\e0jmla111d.dll
C:\WINDOWS\system32\e0jmla111d.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\f4l00e3meh.dll
C:\WINDOWS\system32\f4l00e3meh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\gymf32.dll
C:\WINDOWS\system32\gymf32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lvpq0975e.dll
C:\WINDOWS\system32\lvpq0975e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ofjsel.dll
C:\WINDOWS\system32\ofjsel.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2D17CE6F-CEEF-41B9-8731-C2B12C889CAF}"
HKCR\Clsid\{2D17CE6F-CEEF-41B9-8731-C2B12C889CAF}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

sand man
2006-03-15, 06:47
here is the hijack this log (see note above for reason for split)

Logfile of HijackThis v1.99.1
Scan saved at 9:39:33 PM, on 3/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [SiS Mpc Service] C:\WINDOWS\system32\mpcsvc.exe
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

pskelley
2006-03-15, 15:02
Follow these instructions in the posted order:

1) ewido scan:
Please download Ewido Security Suite (http://www.ewido.net/en/download/) it is a trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)

Once the updates are installed do the following:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")


Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
WIN32.VB.KC TROJAN
O4 - HKLM\..\Run: [SiS Mpc Service] C:\WINDOWS\system32\mpcsvc.exe
probably Troj/Ciadoor-AA
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
DSSAgent by Brøderbund - spyware see this: http://cexx.org/dssagent.htm
(next I can't identify and suggest you remove it)
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\igps.exe >>> file

C:\WINDOWS\system32\mpcsvc.exe >>> file

C:\WINDOWS\BBSTORE\ >>> folder (because they place this junk on the machine, I suggest you get rid of them. If you do not wish to do so, delete at least this file: DSSAGENT.EXE

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan results, a new HJT log and any comments you have. How is the computer running now?

Thanks...Phil

sand man
2006-03-16, 21:55
Appreciate the continued support. I won't be able to carry out these next steps till Saturday. Will post the logs them.

I was not on the Computer mush but the pop-up stopped.

Once again thanks for the help

sand man
2006-03-18, 21:06
Phil,I followed your latest directions. Everything seems to run fine except I could not find the igps.exe and the mpcsvc.exe files. I think I correctly enabled the hidden folders and programs but let me know if you think i missed something.

here is the ewido file (this is from the second time I ran it, first time it did not delete all the bad files so I reran it) and hijackthis

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:39:39 AM, 3/18/2006
+ Report-Checksum: 5021EE09

+ Scan result:

[1276] C:\WINDOWS\system32\floop32.dll -> Proxy.Small.dm : Error during cleaning
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Logger.Small.dg : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__floop32.dll -> Proxy.Small.dm : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 12:02:34 PM, on 3/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\My Documents\antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


By the way, after we get this all cleaned up, which programs should I run on a regular basis to keep the bad stuff out?

thanks again for all the help.

pskelley
2006-03-18, 22:06
Looks like everything well fine except for one item ewido could not remove:
[1276] C:\WINDOWS\system32\floop32.dll -> Proxy.Small.dm : Error during cleaning
Your HJT log is also clean, and you are right, I tend to over kill. The other tools and HJT will normally get rid of the junk, I like to make a last check manually to make sure nothing is left. That is what you will probably need to do with the item ewido could not remove. You can run the scan again in safe mode if you wish, but it would probably be easier to just delete it manually rather than run the scan. Start your computer in safe mode:
http://www.bleepingcomputer.com/tutorials/tutorial61.html then navigate to C:\WINDOWS\system32\floop32.dll <<< file and delete that file.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam


By the way, after we get this all cleaned up, which programs should I run on a regular basis to keep the bad stuff out? If I had the answer to that question, I would be counting my $$ over at Bill Gates house...lol. Truthfully, I believe it depends more on the user than the tools. The best, most expensive tool is worthless if not used right. The links will provide information from folks more knowledgeable that me, read what they have to say. I personally use McAfee VSO, SP2 firewall on one and Zone Alarm free on the other two. I run all freeware products, along with Ad-aware and Spybot, I use these:
http://www.bleepingcomputer.com/forums/tutorial48.html
SpywareBlaster
http://www.bleepingcomputer.com/forums/tutorial49.html
SpywareGuard:
http://www.bleepingcomputer.com/forums/tutorial50.html
IE-Spyad
http://www.bleepingcomputer.com/forums/tutorial53.html

I will mention this freeware product by Microsoft is getting a lot of good feedback: http://russelltexas.com/malware/defender.htm

If all is well on your end, you are good to go:bigthumb: Safe surfing...Phil:)

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

tashi
2006-03-25, 22:02
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread.
Glad we could help. :bigthumb: