Multitude of Trojans

hi SBDad,

that order looks fine to me. wow a 500 gb hd, thats huge.
thats the all-in-one suite firewall, antivirus etc?

shelf life
 
Yep, it’s a Seagate 500 GB. I got it for a pretty good price on sale too. It was maybe $25 US more than a 250 GB at the time. I figured with all of the pictures and music I should get them all off of the primary 80 GB drive anyways. It took some time getting XP and the BIOS to recognize the full size of the drive though, XP would only recognize 128 GB. I had to update the BIOS, install a XP MS Hotfix to update the Atapi.sys driver, rerun the Seagate DiskWizard again to reboot and enable support for drives over 137 GB, and then rerun Seagate DiskWizard and reformat the drive. After all that I still had to install an Intel Chipset S/W Installation Utility to install the Intel Application Accelerator so the full 500 GB could be used, whew (as sweat drips off of the brow! :-).

Yes, the ZA package is the all-in-one. It’s ZoneAlarm Internet Security Suite 2007. It has, as the box lists, “Antivirus, Anti-Spyware, Network & Program Firewall, Operating System Firewall, Identity Theft Protection, Parental Control, Anti-Spam & More!”.

I forgot to ask, I vaguely remember that somewhere you can see what services and startup items are running and post/check somewhere a list (similar to hjt) and get advice on the stuff that’s running to remove items that really don’t need to be running. I guess this will help speed up the performance of the computer too. Any ideas on this? This computer seems to be slow compared to when I first got it 4 yrs ago, it’s a 1.9 GHz 400 MHz sidebus with 128 MB of RDRAM (yeh I know, more memory, but that RDRAM is too expensive, damn Dell :-). You would think that it’s still a pretty viable system.

I am going to do the items listed in the previous post today. Fingers-crossed!! I’ll post the results of the F-secure scan after that’s complete (sorry for the long post).

Thank you so much ago shelf life for all of the help with this computer. I don’t think I would have been able to get it running again without your help. :bigthumb:
 
hi SBDad,

you should be set with that drive. what a pain to get it recognized.

i would look thru the add/remove program panel and uninstall anything you dont use. commercial computers come with plenty of bloatware on them.

to help control what starts up, you can use msconfig:

http://netsquirrel.com/msconfig/

http://www.help2go.com/Tutorials/Windows/Disable_Programs_Running_at_Startup.html

-------------------------
many services which are enabled by default are not needed and can be disabled:

http://www.blackviper.com/

http://www.beemerworld.com/tips/servicesxp.htm

only disable afew at a time and remember which ones, reboot and use computer normally for awhile to make sure you dont lose any functionality.

this might prove useful to you:

http://www.yorkspace.com/2006/04/38


shelf life
 
Hi shelflife. Sorry for the long delay. After installing ZA Security Suite, I tried to connect to the internet to update everything else, but couldn't get out (and it wasn't ZA as I shut it down and still couldn't connect). It took awhile to find out the cause. Ipconfig had an error about a file missing, which MS's pages stated a reload was needed. I found in Dell's forums something on the error that fixed it, but then another popped up about the DHCP client and dependancy service. I checked MS and Dell's sites but there was no info on this. Finally I googled the error and found out that even though I removed Norton AV, it still had it's tenticles on the system. Here's the link to the fix, hopefully it might help someone else out: http://www.winforums.com/showthread.php?t=9587 & http://www.bl.com/moshe/text/quiddities/norton_errors.html.

Anyways, back to the virus/spyware removal. Once I was able to reconnect to the internet, I updated ZA, Spybot, and Ad-aware. I ran several scans with each until all found no baddies. I then updated WinXP, Office 2k/XP, and Java. I then reupdated ZA, Spybot, and Ad-aware and ran several more scans until clean. I also cleaned up some of the services and startups to try and speed it up a little. I then performed the online scan with F-secure scan, it found two issues, although when I clicked on Auto clean it changed to nine, but then back to two. I also ran another hjt.

****************************************
Here's the Scanning Report from F-secure:

F-Secure Online Scanner 3.1.5 - Scanning Report - Friday, October 05, 2007 07:45:42Scanning
Report
Thursday, October 04, 2007 18:02:58 - 07:45:18
Computer name: xxxxxxxx
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\

Result: 2 malware found
Tracking Cookie (spyware)
System (Disinfected)
Trojan-Downloader.Win32.PurityScan.cr (virus)
C:\PROGRAM FILES\?DOBE\WUAUCLT.EXE

Statistics
Scanned:
Files: 183790
System: 6130
Not scanned: 4
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 1
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\DSS\MACHINEKEYS\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-10-04
F-Secure AVP: 7.0.171, 2007-10-04
F-Secure Orion: 1.2.37, 2007-10-04
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0598-150-72
F-Secure Pegasus: 1.19.0, 2007-09-02
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF
VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI
MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0
TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT
MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR
BZ2 HQX
Use Advanced heuristics

****************************************
Here's the hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 04:54:17 PM, on 10/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1190949702406
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - AppInit_DLLs:
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

****************************************

Thanks again for the help with this shelflife and have a great weekend!
 
hi SBDad,

its been awhile. that latest hjt log looks ok as far as malware goes. norton can be a pain to remove. they do provide a "complete" uninstaller at there website.
you have it under control now?

shelf life
 
Hi shelflife. Yea, it took a bit to try and figure out why I couldn't connect, and not to do the drastic reload of XP. So, you think it's ok now? Safe to use on the internet again?

Thanks again!
 
Thanks again shelflife. Yep, I've been reading over your pages. Lots of info, good page to direct my family to to understand the whys of good security.

I'm glad that the system is finally clean. Would you be able to tell me why it is running really slow now, and what could I supply to help with that? You can click on anything, whether it's a program, IE, start button, right click on the task bar, etc., and it takes upwards to two minutes before even responding (I've timed it). I tried looking over the running processes and removing items that are not needed, but it still seems like something is eating up the processor. I don't see anything in Task Manager that is causing the delay, but then again TM takes so long to come up that it might not even register the delay.

Thanks again for all of the help cleaning the system up and patiently reviewing the scans and answering the questions, sometimes months in delay. Have a great week!
 
hi SBDad,

slow computer: is spybot finding/ cleaning anything after a scan? do another scan with hjt and post the log. also lets try running combofix to see if it can dig up anything:

Please download ComboFix (by sUBs) from one of the following links:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Save it to the Desktop.
Double-click combofix.exe and follow the prompts.

CAUTION: Do not mouse-click ComboFix's window while it is running.
It may cause it to stall.

When finished, it produces a log.

Please provide the contents of the ComboFix log in your reply and a new hjt log.

glad you enjoyed my web site, its a very rare event to get any feed back on it.

shelf life
 
Hi shelflife. I found out something today. Spybot only scans for the user that is logged in at the moment. My account is the admin for the computer (but not the Admin account under Safe Mode), and I did all of the scans et.al. while I was logged into my account. Your post got me thinking that I should log in as my daughter and rerun Spybot. Sure enough, even though while I was logged into my account it was 'clean', running the scan under her account found AdRevolver, BlueStreak, BurstMedia, CurePCSolution, DirectTrack, MaxFiles, Mediaplex, ReliableStats, Statcounter, TagASaurus, Tradedoubler, Virtumonde, Win32.Agent.qt, Win32.ConHook.ah, and Win32.Small.ddx.

One note, the computer has not been used since it was infected, and the only webpages visited during your help and up to now has been ZoneAlarm, MS Updates (both XP and Office), Spybot updates, Ad-aware updates, Java updates, and F-Secure (this doesn't mean the baddies in the background haven't been sneeky though).

I haven't downloaded Combofix yet, but I figured I'd give you a quick update and see what steps I should follow since there are four users, plus the Admin account. I would suspect that I have missed a few things.

Thanks again for everything! :oops:
 
hi SBDad,

hold off on combofix for now. lets see what spybot can dig up. i found this from a thread
looks like scanning each user account would be a good idea. malware in other accounts could explain the slowness you have been experiencing.

the thread:

"It should also be noted that if you use an alternate user account for scheduling purposes, you should periodically scan from your regular user account as well as any other user accounts on the system.

Although the entire system is scanned for most malware, because of restrictions in the Microsoft APIs (Application Program Interfaces) used by Spybot, the scan from one account does not include the Internet cache, cookies and some other user specific entries of other accounts."
__________________

shelf life
 
Thanks shelflife. I am in the process of scanning each user account. We'll see what we can get rid of on each. Sorry for the ommission on the user accounts. I'll post back soon. Thanks again!

P.S. Maybe whatever is still hiding on the system is now causing the HP Image Zone software for my daughters digital camera to keep asking for a CD labeled '1' to be inserted; this started aftered all of the cleaning and the updates (or maybe it just needs reloading because of the updates, I'm checking HP's site)...
 
Hi shelflife. Well, I posted a reply but for some reason it didn't post, so hopefully this isn't a repeat (maybe the forum timed out, man hopefully I remembered what I originally wrote). Anyways, thank you very much again for the ongoing work on this issue. I've scanned all of the user accounts on the system. Here's a synopsis of what was done:

o Scanned each user account with Spybot, Ad-aware, and ZA. No issues were found on my account and my daughters, but the other two user accounts had numerous items found. Removed items as they were found.
o After I was done removing the items with each scan in each user account, I went into Internet Options - Temporary Internet Files and clicked Delete Cookies and then Delete Files for each user; I also went into Settings and reduced the Disk Spaced used to 350 MB.​
o I also used the Cache Cleaner in ZA to further clean up the drive.

o I updated SB, AA, and ZA, and rescanned each user with SB, AA, and ZA, further removing any other items found.
o I also again performed Delete Cookies, Delete Files, and used the Cache Cleaner in ZA for each user as outlined above.

o I unplugged the network cable from the router. Rebooted the system. Rescanned each user with SB, AA, and ZA account until no more items found.
o I also again performed Delete Cookies, Delete Files, and used the Cache Cleaner in ZA for each user as outlined above.

o Booted to Safe Mode and logged into the Admin account. Scanned with SB and AA, no items found. Could not start ZA to scan or use the Cache Cleaner (maybe some of the drivers/dlls/etc that it uses are not started in SM).
o Also performed Delete Cookies, Delete Files and reduced the Disk Spaced Used to 350 MB (as outlined above) for the SM Admin user.​
o Since I was already in SM, performed Disk Check on D drive and scheduled Disk Check for C drive. Rebooted to allow Disk Check to run for C drive.
o Rebooted to SM. Performed Defrag on D drive and C drive.

Whew. Now that all that has been done, booted system back up normally to my user account. System is still running slow. Still did not reconnect to router yet for safety. What should be the next course of action? I didn't post a new hjt log yet and I wanted to make sure what you needed. Thanks again shelflife for sticking with this long process of help. Take care and have a great week!​
 
hi SBDad,

from what you done and the results, looks like you can reconnect it to the router and the internet. a good tool for keeping temps cookies etc cleaned up is atfcleaner, i may have suggested it before but i cant recall:

http://www.atribune.org/content/view/19/2/
---------------------------------------
post another hjt log for another look since its been so long.

shelf life
 
Hi shelflife. The system was a little slower than normal, but as soon as I connected the router back up to it, man it's at a crawl now. Here is the hjt log from my user account. Should I run hjt for each user?

---------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 07:37:46 AM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1190949702406
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - AppInit_DLLs:
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\DOCUME~1\Brian\LOCALS~1\Temp\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

---------------------------------------------

Thanks again. Have a great week!
 
hi SBDad,

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
for the slowness, you can try disabling spybots tea timer. it runs in the background if enabled. see if that helps.

is your norton antivirus active? you see the icon and can update/scan with it? i only ask because i dont see a service running in the 023 items list.

shelf life
 
Hi shelflife. Sorry, been away on business again, much to the dismay of my daughter who is itching for the computer again.

Aways, I followed your instructions below this weekend. I fixed the two items. Norton is not active on this system; I have removed it, but as you know, it doesn't go away easily (it was one of the problems I was having with ZA's antivirus not running). Here's the hjt log after the fixes were done:

*************************************
Logfile of HijackThis v1.99.1
Scan saved at 08:21:23 PM, on 11/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\HijackThis\Scan.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1190949702406
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - AppInit_DLLs:
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\DOCUME~1\Brian\LOCALS~1\Temp\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

*************************************

I was wondering if I should fix these as well:

O20 - AppInit_DLLs:
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\DOCUME~1\Brian\LOCALS~1\Temp\F-Secure\Anti-Virus\fsblsrv.exe (file missing)

Thanks again shelflife!

P.S. Hi tashi. Thanks for asking before moving it to the archives. Is there a way to save the entire thread to a text file or something once we're done? I learned a lot with shelflife's help (THANKS!!) during this process and would like to save a record of what we did so I can remember later. Thanks again!
 
hello again,

Norton is not active on this system; I have removed it,
Click to expand...
i dont see any signs of it in the hjt log. norton does have a "clean tool" that will remove norton products:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

in any case you need to get another av installed quiclky.
heres one:
http://free.grisoft.com/doc/2/

I was wondering if I should fix these as well:

O20 - AppInit_DLLs:
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\DOCUME~1\Brian\LOCALS~1\Temp\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
Click to expand...
yes you can have hjt "fix" those two.

shelf life
 
You must log in or register to reply here.
Back
Top