Jump to content

Build Theme!
  •  
  • Infected?

big grin WE'RE SURE THAT YOU'LL LOVE US!

We invite you to ask questions, share experiences, and learn. It's 100% free. Did we mention that it's free. It is. It's free. Join 91601 other members! Anybody can ask, anybody can answer. Consistently helpful members with best answers are invited to staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

I Need Help. Errors!


  • This topic is locked This topic is locked
37 replies to this topic

#1 Starwalker

Starwalker

    Authentic Member

  • Authentic Member
  • PipPip
  • 188 posts

Posted 10 March 2007 - 01:25 AM

Logfile of HijackThis v1.99.1
Scan saved at 1:08:44 AM, on 3/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Documents and Settings\Lynne\Desktop\Virus & Adware Scanners\hijackthis\HijackThis.exe
C:\Documents and Settings\Lynne\Desktop\Virus & Adware Scanners\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - 4-974F-4224-D074-CACA427AA030} - (no file)
O2 - BHO: (no name) - ?8E815-4A5E-4DFB-845E-AAB64207F5BD} - (no file)
O2 - BHO: (no name) - ?49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\system32\spool\drivers\w32x86\lexmarklexmark_x7328e0\printray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: YExplorer1_8US.CAB -
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec....rl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D9C8D79-7F42-402C-95E7-8B764A8522A8}: NameServer = 206.74.254.2,204.116.57.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~2\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Errors I am getting=It lists 2 errors.
C:\DOCUME~1\Lynne\LOCALS~1\Temp\WER3c38.dir00\iexplore.exe.mdmp
C:\DOCUME~1\Lynne\LOCALS~1\Temp\WER3c38.dir00\appcompat.txt

This one is happening on PC Pitstop.
Runtime Error!
Program:C:\Program Files\Internet Explorer\IEXPLORE.EXE

I no longer have Yahoo messenger. I access thu My Yahoo web page now. I have no idea what these are on there.
O2 - BHO: (no name) - 4-974F-4224-D074-CACA427AA030} - (no file)
O2 - BHO: (no name) - ?8E815-4A5E-4DFB-845E-AAB64207F5BD} - (no file)
O2 - BHO: (no name) - ?49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O11 - Options group: [INTERNATIONAL] International*
O2 - BHO: (no name) - rsion - (no file)

PC Ptstop.- I don't know if I posted this right.
TechExpress link for your current results:
http://www.pcpitstop...EPGFWNNMMJSQZGJ

I'd also like to know in detail what I can turn off and use only when I access it in the start up menu. Any info will greatly help. Thank you....Lynne

Edited by Starwalker, 10 March 2007 - 01:42 AM.

    Advertisements

Register to Remove


#2 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 10 March 2007 - 08:21 AM

Hello Starwalker and Welcome to TomCoyote,


Scan with HijackThis. Place a check against each of the following:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - 4-974F-4224-D074-CACA427AA030} - (no file)
O2 - BHO: (no name) - ? 8E815-4A5E-4DFB-845E-AAB64207F5BD} - (no file)
O2 - BHO: (no name) - ? 49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

Using Windows Explorer, locate the following files/folders, and delete them (if they exist):
C:\Documents and Settings\Lynne\Local Settings\Temp\WER3c38.dir00\<=folder

Exit Explorer.

This scan works with Internet Explorer.
======
Panda Active Scan
Please go to Panda ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, by using Add Reply.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#3 Starwalker

Starwalker

    Authentic Member

  • Authentic Member
  • PipPip
  • 188 posts

Posted 10 March 2007 - 02:31 PM

Thank you for helping. :) Windows says cannot be found. C:\Documents and Settings\Lynne\Local Settings\Temp\WER3c38.dir00\<=folder Running the scanner now.;)

Edited by Starwalker, 10 March 2007 - 02:49 PM.


#4 Starwalker

Starwalker

    Authentic Member

  • Authentic Member
  • PipPip
  • 188 posts

Posted 10 March 2007 - 04:08 PM

Incident Status Location

Dialer:dialer.bny Not disinfected c:\windows\pcconfig.dat
Adware:adware/powerscan Not disinfected Windows Registry
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@adrevolver[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@advertising[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@atdmt[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@bluestreak[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@casalemedia[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@ccbill[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@counter14.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@counter7.sextracker[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@cs.sexcounter[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@fastclick[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@media.adrevolver[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@mediaplex[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@microsoftwga.112.2o7[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@overture[2].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@questionmarket[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@sextracker[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@tribalfusion[1].txt
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Lynne\Cookies\lynne@xxxcounter[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Lynne\Desktop\Virus & Adware Scanners\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Lynne\Desktop\Virus & Adware Scanners\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Adware:Adware/WinAD Not disinfected C:\Program Files\IncrediMail\incredimail_install.exe
Adware:Adware/Startpage.RF Not disinfected C:\WINDOWS\Downloaded Program Files\search.inf
Spyware:Cookie/Outster Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@outster[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
HJT LOG=
Logfile of HijackThis v1.99.1
Scan saved at 4:09:52 PM, on 3/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Documents and Settings\Lynne\Desktop\Virus & Adware Scanners\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\system32\spool\drivers\w32x86\lexmarklexmark_x7328e0\printray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoft....com/activescan (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: YExplorer1_8US.CAB -
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec....rl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D9C8D79-7F42-402C-95E7-8B764A8522A8}: NameServer = 206.74.254.2,204.116.57.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~2\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by Starwalker, 10 March 2007 - 04:13 PM.


#5 Starwalker

Starwalker

    Authentic Member

  • Authentic Member
  • PipPip
  • 188 posts

Posted 10 March 2007 - 04:14 PM

Where in the !@#!@# did that XXX stuff come from? I don't go on that carp****. How does it get there?

Edited by Starwalker, 10 March 2007 - 04:15 PM.


#6 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 10 March 2007 - 05:20 PM

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose:Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
To delete cookies (Windows 98 and later)
  • . Quit Internet Explorer and quit any instances of Windows Explorer.
  • . In Control Panel , double-click Internet Options.
    [*[. On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • 4. Click OK.
Please set your system to show all files; please see here if you're unsure how to do this.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
c:\windows\pcconfig.dat<=file
C:\WINDOWS\Downloaded Program Files\search.inf<=file
C:\WINDOWS\system32\config\systemprofile\Cookies\system@outster[2].txt<=file

Exit Explorer, and reboot as normal afterwards.

Please rerun Panda and let's see how we did.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#7 Starwalker

Starwalker

    Authentic Member

  • Authentic Member
  • PipPip
  • 188 posts

Posted 10 March 2007 - 08:58 PM

Ok, I did all the above. When I went to safe mode it showed nothing and told me to check spelling and try again. I am running the Panda now.

#8 Starwalker

Starwalker

    Authentic Member

  • Authentic Member
  • PipPip
  • 188 posts

Posted 10 March 2007 - 09:46 PM

Incident Status Location Dialer:dialer.bny Not disinfected c:\windows\pcconfig.dat Adware:adware/powerscan Not disinfected Windows Registry Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Lynne\Desktop\Virus & Adware Scanners\SmitfraudFix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Lynne\Desktop\Virus & Adware Scanners\SmitfraudFix.zip[SmitfraudFix/Process.exe] Adware:Adware/WinAD Not disinfected C:\Program Files\IncrediMail\incredimail_install.exe Adware:Adware/Startpage.RF Not disinfected C:\WINDOWS\Downloaded Program Files\search.inf Spyware:Cookie/Outster Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@outster[2].txt Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

#9 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 11 March 2007 - 12:48 PM

Do you use Incredimail?
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#10 Starwalker

Starwalker

    Authentic Member

  • Authentic Member
  • PipPip
  • 188 posts

Posted 11 March 2007 - 02:01 PM

Yep :blink:

    Advertisements

Register to Remove


#11 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 11 March 2007 - 05:02 PM

We still need to delete some files but we need to find out some information first. Since you use Incredimail, I want to proceed with caution and see if other applications detect the file as infected.

STEP 1.
======
Submit File to Jotti
Please click on Jotti
Use the "Browse" button and locate the following file on your computer:
C:\Program Files\IncrediMail\incredimail_install.exe
Click the "Submit" button.
Please copy and post (reply) with the results

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustota...l/index_en.html
http://www.kaspersky...anforvirus.html

Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#12 Starwalker

Starwalker

    Authentic Member

  • Authentic Member
  • PipPip
  • 188 posts

Posted 11 March 2007 - 10:44 PM

File: incredimail_install.exe_ Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 55de1772ca1aab9a14096934c0f3337a Packers detected: - Scan taken on 12 Mar 2007 04:45:50 (GMT) AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found Generic.VEQ BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found not-a-virus:Downloader.Win32.ImLoader.c (6, 2, 603) Fortinet Found nothing Kaspersky Anti-Virus Found not-a-virus:Downloader.Win32.ImLoader.c NOD32 Found nothing Norman Virus Control Found W32/DLoader.AJRW Panda Antivirus Found nothing VirusBuster Found nothing VBA32 Found Downloader.Win32.ImLoader.c There were no pop ups. Should there have been? :(

Edited by Starwalker, 11 March 2007 - 10:52 PM.


#13 Starwalker

Starwalker

    Authentic Member

  • Authentic Member
  • PipPip
  • 188 posts

Posted 11 March 2007 - 11:15 PM

Virus Total Scan Antivirus Version Update Result AntiVir 7.3.1.41 03.11.2007 no virus found Authentium 4.93.8 03.09.2007 no virus found Avast 4.7.936.0 03.11.2007 no virus found AVG 7.5.0.447 03.11.2007 Adware Generic.VEQ BitDefender 7.2 03.12.2007 no virus found CAT-QuickHeal 9.00 03.10.2007 no virus found ClamAV devel-20060426 03.12.2007 no virus found DrWeb 4.33 03.11.2007 no virus found eSafe 7.0.14.0 03.11.2007 no virus found eTrust-Vet 30.6.3471 03.12.2007 no virus found Ewido 4.0 03.11.2007 Not-A-Virus.Downloader.Win32.ImLoader.c FileAdvisor 1 03.12.2007 no virus found Fortinet 2.85.0.0 03.12.2007 no virus found F-Prot 4.3.1.45 03.09.2007 no virus found F-Secure 6.70.13030.0 03.11.2007 W32/DLoader.AJRW Ikarus T3.1.1.3 03.11.2007 no virus found Kaspersky 4.0.2.24 03.12.2007 not-a-virus:Downloader.Win32.ImLoader.c McAfee 4981 03.09.2007 no virus found Microsoft 1.2306 03.12.2007 no virus found NOD32v2 2107 03.11.2007 no virus found Norman 5.80.02 03.10.2007 W32/DLoader.AJRW Panda 9.0.0.4 03.12.2007 Adware/WinAD Prevx1 V2 03.12.2007 no virus found Sophos 4.15.0 03.10.2007 no virus found Sunbelt 2.2.907.0 03.10.2007 no virus found Symantec 10 03.12.2007 no virus found TheHacker 6.1.6.074 03.12.2007 no virus found UNA 1.83 03.11.2007 no virus found VBA32 3.11.2 03.10.2007 Downloader.Win32.ImLoader.c VirusBuster 4.3.19:9 03.11.2007 no virus found

#14 Starwalker

Starwalker

    Authentic Member

  • Authentic Member
  • PipPip
  • 188 posts

Posted 11 March 2007 - 11:23 PM

Kasperkey Scanned file: incredimail_install.exe - Infected incredimail_install.exe - infected by not-a-virus:Downloader.Win32.ImLoader.c Statistics: Known viruses: 280539 Updated: 12-03-2007 File size (Kb): 390 Virus bodies: 1 Files: 1 Warnings: 0 Archives: 0 Suspicious: 0

#15 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 12 March 2007 - 07:08 AM

Hi Starywarker,

Are you using the free version of Incredimail? If you are, it may be the reason why it is appearing to be infected.
http://www.incredima...dimail_free.asp
IncrediMail also sees revenue from advertising in 2 channels:
Web site Includes standard banner advertisements
Email application Advertisements displayed ONLY in a designated window (a.k.a. Status Window)

*Ads are only displayed in the free version of IncrediMail

=====================
Delete Files with Killbox

Download Pocket Killbox from http://www.downloads...org/KillBox.zip and unzip it; save it to your Desktop. DO NOT RUN IT YET.
==========
Double-click on KillBox.exe to launch the program. It is the red circle with a large white X in it
- Highlight the files in bold RED below and press the Ctrl key and the C key at the same time to copy them to the clipboard
c:\windows\pcconfig.dat
C:\WINDOWS\Downloaded Program Files\search.inf
C:\WINDOWS\system32\config\systemprofile\Cookies\system@outster[2].txt


In Killbox click on the File menu and then the Paste from Clipboard item
in the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
(Please note that the tool checks your computer for the presence of the files pasted into the box so if files are not present, it is possible that you might not see all files you pasted into the box.)
  • Click the option to Delete on Reboot
  • Click End Explorer Shell while Killing File
  • Click All Files right of the flashing green "Single files"
  • Click Yes when it asks "Files will be Removed on Reboot, Do you want to reboot now?"
(Note: If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually)

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.

Let me know if you are using the free version of Incredimail.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users