Jump to content
Sign in to follow this  
jamie823

Hjt

Recommended Posts

The script did not recognize the services listed below.

This does not mean that they are a problem.

 

To copy the entire contents of this document for posting:

At the top of this window click "Edit" then "Select All"

Next click "Edit" again then "Copy"

Now right click in the forum post box then click "Paste"

 

########################################

 

ServiceFilter 1.1

by rand1038

 

Microsoft Windows XP Professional

Version: 5.1.2600

Nov 26, 2004 9:33:33 AM

 

 

===> Begin Service Listing <===

 

Unknown Service #1

Service Name: SwPrv

Display Name: MS Software Shadow Copy Provider

Start Mode: Manual

Start Name: LocalSystem

Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...

Service Type: Own Process

Path: c:\windows\system32\dllhost.exe /processid:{37f137e2-3937-4b86-9f70-a1b1d693bb0c}

State: Stopped

Process ID: 0

Started: False

Exit Code: 1077

Accept Pause: False

 

 

2. no instances of services.exe found

 

3HKLM\System\CurrentControlSet\Services

 

+ AudioSrv Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

 

+ BITS Uses idle network bandwidth to transfer data. Microsoft Corporation c:\windows\system32\svchost.exe

 

+ ccEvtMgr Symantec Event Manager Symantec Corporation c:\program files\common files\symantec shared\ccevtmgr.exe

 

+ CryptSvc Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe

 

+ Dhcp Manages network configuration by registering and updating IP addresses and DNS names. Microsoft Corporation c:\windows\system32\svchost.exe

 

+ dmserver Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe

 

+ Dnscache Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe

 

+ ERSvc Allows error reporting for services and applictions running in non-standard environments. Microsoft Corporation c:\windows\system32\svchost.exe

 

+ Eventlog Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. Microsoft Corporation c:\windows\system32\services.exe

 

+ helpsvc Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

 

+ LmHosts Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Microsoft Corporation c:\windows\system32\svchost.exe

 

+ NProtectService Norton Protection Status (Not verified) Symantec Corporation c:\program files\norton systemworks\norton utilities\nprotect.exe

 

+ Pctspk PCTSPK.EXE PCtel, Inc. c:\windows\system32\pctspk.exe

 

+ PlugPlay Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. Microsoft Corporation c:\windows\system32\services.exe

 

+ PolicyAgent Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Microsoft Corporation c:\windows\system32\lsass.exe

 

+ ProtectedStorage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. Microsoft Corporation c:\windows\system32\lsass.exe

 

+ RemoteRegistry Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

 

+ RpcSs Provides the endpoint mapper and other miscellaneous RPC services. Microsoft Corporation c:\windows\system32\svchost.exe

 

+ SamSs Stores security information for local user accounts. Microsoft Corporation c:\windows\system32\lsass.exe

 

+ SBService ScriptBlocking registration Symantec Corporation c:\program files\common files\symantec shared\script blocking\sbserv.exe

 

+ Schedule Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

 

+ seclogon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

 

+ SENS Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. Microsoft Corporation c:\windows\system32\svchost.exe

 

+ ShellHWDetection Provides notifications for AutoPlay hardware events. Microsoft Corporation c:\windows\system32\svchost.exe

 

+ Spooler Loads files to memory for later printing. Microsoft Corporation c:\windows\system32\spoolsv.exe

 

+ Themes Provides user experience theme management. Microsoft Corporation c:\windows\system32\svchost.exe

 

+ TrkWks Maintains links between NTFS files within a computer or across computers in a network domain. Microsoft Corporation c:\windows\system32\svchost.exe

 

+ uploadmgr Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe

 

+ W32Time Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

 

Microsoft Corporation c:\windows\system32\svchost.exe

 

+ WebClient Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Corporation c:\windows\system32\svchost.exe

 

+ winmgmt Generic Host Process for Win32 Services Microsoft Corporation c:\windows\system32\svchost.exe

 

+ WmdmPmSp Retrieves the serial number of any portable music player connected to your computer Microsoft Corporation c:\windows\system32\svchost.exe

 

+ wuauserv Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. Microsoft Corporation c:\windows\system32\svchost.exe

 

+ WZCSVC Provides automatic configuration for the 802.11 adapters Microsoft Corporation c:\windows\system32\svchost.exe

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

 

+ C:\WINDOWS\system32\userinit.exe, Userinit Logon Application Microsoft Corporation c:\windows\system32\userinit.exe

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

 

+ C:\WINDOWS\system32\fservice.exe c:\windows\system32\fservice.exe

 

+ Explorer.exe Windows Explorer Microsoft Corporation c:\windows\explorer.exe

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

+ BootWarn Norton AntiVirus Boot Warning Symantec Corporation c:\program files\norton systemworks\norton antivirus\bootwarn.exe

 

+ ccApp Common Client CC App Symantec Corporation c:\program files\common files\symantec shared\ccapp.exe

 

+ ccRegVfy Common Client Registry Integrity Verifier Symantec Corporation c:\program files\common files\symantec shared\ccregvfy.exe

 

+ msnappau MSN Updater (Not verified) Microsoft Corporation c:\program files\msn apps\updater\01.02.3000.1001\en-us\msnappau.exe

 

+ Propel Accelerator LocalNet Express 2.0: Tray Control (Not verified) Propel Software Corporation c:\program files\localnet express 2.0\trayctl.exe

 

+ SunJavaUpdateSched c:\program files\java\j2re1.4.2_05\bin\jusched.exe

 

+ THGuard TrojanHunter Guard (Not verified) Mischel Internet Security c:\program files\trojanhunter 4.0\thguard.exe

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

 

+ Internet Answering Machine.lnk Internet Answering Machine CallWave, Inc. c:\program files\callwave\iam.exe

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

 

+ DirectX For Microsoft® Windows c:\windows\system32\fservice.exe

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

+ msnmsgr MSN Messenger (Not verified) Microsoft Corporation c:\program files\msn messenger\msnmsgr.exe

 

+ Yahoo! Pager Yahoo! Messenger (Not verified) Yahoo! Inc. c:\program files\yahoo!\messenger\ypager.exe

 

Task Scheduler

 

+ Symantec NetDetect.job Symantec NetDetect Symantec Corporation c:\program files\symantec\liveupdate\ndetect.exe

 

.

Accept Stop: False

 

---> End Service Listing <---

 

There are 75 Win32 services on this machine.

1 were unrecognized.

 

Script Execution Time: 1.441406 seconds.

Share this post


Link to post
Share on other sites

1.

Download Pocket kill box here

 

Unzip the folder to your desktop.

 

2.

Copy the information in the quote box to notepad. Save it to your desktop as type "all files" and name it pro.reg (note it is the same as you previously did so you don't have to recreate it if you still have it.)

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

"DirectX For Microsoft® Windows"=-

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Shell"="Explorer.exe"

 

[-HKEY_CURRENT_USER\Software\Microsoft DirectX]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\(5Y99AE78-58TT-11dW-BE53-Y67078979Y)]

 

3.

Download process explorer here and unzip it.

 

4.

Disconnect from the internet, and make sure Norton Antivirus realtime protection is not running. (Right click on it in system tray and disable).

 

5.

Open process explorer. The top pane will show the processes that are running. Look through the list for services.exe. There will be two running. Place your mouse pointer over both of them and find the one that is in C:\Windows. When you find it, rightclick on it and select kill process tree. If you get any messages about it being a system file etc, ignore them and kill it.

 

6.

Doubleclick the pro.reg file you created and grant it permission to merge the registry entries.

 

7.

If you were successful in killing the C:\windows\services process, browse to and delete file C:\WINDOWS\services.exe If that is succesfull go to step 9. If not, do step 8.

 

8.

Open killbox that you downloaded in the first step.

 

Make sure the following are checked

 

Delete on Reboot

End Explorer Shell While Killing File

 

Then type the full path to the following files in the killbox address bar:

 

C:\WINDOWS\services.exe

 

Then press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, Click Yes and allow it to reboot.

 

9.

Reboot, Scan and post another log after the reboot.

Share this post


Link to post
Share on other sites

yellowhammer.. im in the process of following your directions. when i opened process explorer i did infact have 2 running.. one was C:\windows\system32\services.exe and the other was just services.exe am i correct in assuming the first one is the one i want to kill? plz understand im just wanting to make sure i do the correct thing b4 i change something i cant change back :).. patiently waiting for your reply

Share this post


Link to post
Share on other sites

yellowhammer, sorry to be so much trouble lol... i right click on services.exe and tried to confirm the kill process tree but it came up with an error that said error opening services.exe and wouldnt kill it... any ideas? jamie

Share this post


Link to post
Share on other sites

7.

If you were successful in killing the C:\windows\services process, browse to and delete file C:\WINDOWS\services.exe If that is succesfull go to step 9. If not, do step 8.

 

8.

Open killbox that you downloaded in the first step.

 

Make sure the following are checked

 

Delete on Reboot

End Explorer Shell While Killing File

 

Then type the full path to the following files in the killbox address bar:

 

C:\WINDOWS\services.exe

 

Then press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, Click Yes and allow it to reboot.

 

9.

Reboot, Scan and post another log after the reboot.

Share this post


Link to post
Share on other sites

new log after reboot:

 

Logfile of HijackThis v1.98.2

Scan saved at 10:37:31 PM, on 11/26/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\services.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\CallWave\IAM.exe

C:\Program Files\LocalNet Express 2.0\PropelAC.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;<local>

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\LocalNet Express 2.0\prpl_IePopupBlocker.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"

O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\LocalNet Express 2.0\trayctl.exe" /STARTUPLAUNCH

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [bootWarn] C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\LocalNet Express 2.0\pac-addwl.html

O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-page.html

O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-image.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...386/mcfscan.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BCE64585-51A5-466F-8809-F9AC4846CB6A}: NameServer = 207.251.201.10 207.251.201.11

Share this post


Link to post
Share on other sites

Something is obviously protecting C:\windows\services. I have a couple more suggestions.

 

First, repeat the last set of instructions. But them in safe mode. Let's see where that gets us. After that I have one more idea.

Share this post


Link to post
Share on other sites

ok safe mode isnt gonna work... i tried 3 times to boot into safe mode and was able to bring up the killbox but when i went to type in the path my pc froze and i had to manually restart.... something that is puzzling me but im not sure is related is everytime i log on i get a pop up from symantec that says scanning mail message, do u think this is related? .. im running out of options here and wondering if i shouldnt just reformat... u said u may have another suggestion to try tho so we might try it since we've tried everything else :blink:

Share this post


Link to post
Share on other sites

Earlier you were asked to check for the file KTD32.ATM and said you found it. See if you can delete it.

 

If Norton is scanning emails at boot up then something is sending out the email. That is a good piece of information. Why don't you download Sygate Personal Firewall and install it as it does not look like you have a firewall installed. After a reboot it will be enabled. At that point it will start monitoring programs accessing the internet. Right click on it in the system tray and select "applications" and then remove all. That will force it to ask permission for each program that tries to access the net.

 

You will get a pop up message asking for permission for a program to access the net. If an email is being sent, it will identify the program that is trying to send it.

 

Get that information and post back.

 

Get the firewall here: http://www.tucows.com/preview/213160.html

Edited by yellowhammer

Share this post


Link to post
Share on other sites

yellowhammer, i downloaded the firewall as u suggested and rebooted, but how do i know its there and working? it doesnt show up in my system tray and doesnt want to open when i click on it in the start up menu.. is it possible the problems im having are keeping it from working also?.. just dont know where to go with this now

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.2

Scan saved at 12:21:28 PM, on 11/27/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\Explorer.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\LocalNet Express 2.0\PropelAC.exe

C:\Program Files\CallWave\IAM.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;<local>

F2 - REG:system.ini: Shell=

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\LocalNet Express 2.0\prpl_IePopupBlocker.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"

O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\LocalNet Express 2.0\trayctl.exe" /STARTUPLAUNCH

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [bootWarn] C:\Program Files\Norton SystemWorks\Norton AntiVirus\BootWarn.exe /a

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\LocalNet Express 2.0\pac-addwl.html

O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-page.html

O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-image.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...386/mcfscan.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BCE64585-51A5-466F-8809-F9AC4846CB6A}: NameServer = 207.251.201.10 207.251.201.11

Share this post


Link to post
Share on other sites

oh my gosh jacee, can u believe it? !! lol... u have guys have been wonderful and i cant thank you enuff. is there anything i should clean up now? also was still wondering bout the sygate firewall, cant seem to get it to open. any idea?

Share this post


Link to post
Share on other sites
:bang: should have known i wouldnt get so lucky.... just ran house call and says im still infected with 4 viruses... when r these gonna go away??... have no clue what to do now

Share this post


Link to post
Share on other sites

Housecall should be able to delete them. If not, get the names and delete them manually.

 

Sygate does not appear to by running based on your last log. Try uninstalling and reinstalling it now that the trojan is gone.

Share this post


Link to post
Share on other sites

ok i was finally able to download sygate and got it working, only prob is my pc is super slow now.. is this normal?... also i had another ques. ever since ive been having these probs my pc is showing me as disconnected in network connections and i have no connection icon in the system tray, however when i bring up task manager it shows i actually am connected.. ive checked and unchecked boxes and everything seems to be in order but because of this everytime i need to disconnect from the net i have to reboot my pc everytime, any ideas on this one?

Share this post


Link to post
Share on other sites

jamie823,

 

You are a champ!! You hung right in there following all sorts of instructions.

 

After you check out yellowhammer's suggestion, this is rather simple, but give the system a good scrub-down with the following to see if it works better:

 

Download Spybot Search and Destroy :

http://www.majorgeeks.com/download2471.html

-After installing the program, make sure you click on: Search for Updates

 

From the top menu bar, click Mode and select Advanced Mode if it is not already selected.

Click Tools and in the right pane, click Secure Shredder , and then click it again when it appears in the left pane.

 

Click the Templates pull-down in the top right pane to add files.

Select: Add files from Temp folder

The files are displayed in the open area under Filename.

Click: Chop it away! (This may take a couple of minutes depending on the load.)

 

Now, go back to the Templates pull down

Select: Add Internet Explorer cache files

The files are added on and displayed in the open area under Filename.

Click: Chop it away!

 

Once again, back to the Templates pull down

Select: Add Internet Explorer cookie files

The files are added on and displayed in the open area under Filename.

(Cookies may contain logon information for a website, and you will need to log on again to the particular websites for which the cookies are removed.)

Click: Chop it Away!

 

When done with Secure Shredder, exit out of Spybot Search and Destroy.

Reboot the computer

 

Empty the Recycle Bin.

 

Open Spybot Search and Destroy once again.

-This time select: Check for Problems

-Have Spybot remove all the items in RED by clicking on the button labeled:

Fix Selected Problems

Restart the computer when done.

 

Now, download AdAware SE from the following link:

http://www.majorgeeks.com/download506.html

-Use the: 'Check for Updates Now' option and download the latest reference files

-Use the Start button, and on the next window, select: Perform Full System Scan

-Press Next, and let Ad-aware scan the hard drive

-When finished, right-click the window with the entries, choose: Select All from the menu, and click Next.

-Once AdAware has removed the entries, close the program

Restart the computer

 

Next, make sure all windows and browsers are closed before proceeding to run HijackThis and Scan. Fix the following by placing a check in the appropriate box and selecting Fix Checked:

 

F2 - REG:system.ini: Shell=

 

At one point you enabled the viewing of Hidden Files and Folders as follows:

[start>My Computer, select the Tools menu and then Folder Options, after the new window appears select the View tab…]

This time select the following button: Restore Defaults

Select: Apply, and click OK

 

Now, head for the Microsoft Windows Updates website!!!!

http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us

 

Your log shows that you are running an outdated and vulnerable version of XP and Internet Explorer:

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

The first defense against infection is a properly updated system. Connecting to the internet with no updates installed is the equivalent of dragging a magnet through a pile of metal shavings!!

 

It may take a while with a dial-up connection, but have your system scanned, and download/install all Critical Updates on offer. The updates will fix bugs, update a number of important system files, and plug many security vulnerabilities. This step is absolutely necessary if you want to avoid malware infection problems in the future.

 

On the network connection issue, your best bet is to visit the Networking/Internet Connections forum for assistance: http://pcpitstop.ibforums.com/index.php?showforum=8

 

Once again, thank you for your patience, and performing all the procedures requested.

Edited by FZWG

Share this post


Link to post
Share on other sites

FZWG: followed all ur instructions but when i went to check for critical updates the only one it lists is sp2.. ive been unsure bout doing this one because of all the bad things ive heard about it, what would u suggest? also one more quick ques and ill try not to bother ya anymore :blushing: i just ran trojanhunter and im still getting the following :Registy key exists: HKEY_CURRENT_USERS\Software\bundles (matches Adware.WebRebates.106) is this something i should be concerned about and how do i fix it?

Edited by jamie823

Share this post


Link to post
Share on other sites

jamie823,

 

Post another log, just to see what is on it at this point. Maybe something will pop up that will allow us to get rid of a WebRebates entry.

 

On SP2, some folks hate it, others say it is OK. I haven't gotten it either.

 

Using Custom Install, does it not show any Critical Updates for you? If not, would think you are probably up to date then.

 

BTW, you are not bothering anyone. If you are still having problems, we'll take a shot at them.

 

Just hope nothing backfires!!! :mrgreen:

Edited by FZWG

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.2

Scan saved at 5:16:49 PM, on 11/28/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\TrojanHunter 4.0\THGuard.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\LocalNet Express 2.0\PropelAC.exe

C:\Program Files\CallWave\IAM.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;*windowsupdate.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;<local>

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\LocalNet Express 2.0\prpl_IePopupBlocker.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"

O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\LocalNet Express 2.0\trayctl.exe" /STARTUPLAUNCH

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\LocalNet Express 2.0\pac-addwl.html

O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-page.html

O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-image.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...386/mcfscan.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BCE64585-51A5-466F-8809-F9AC4846CB6A}: NameServer = 207.251.201.10 207.251.201.11

Share this post


Link to post
Share on other sites

jamie823,

 

Your log looks good. Don't see any malware.

 

Will check out the TrojanHunter issue a little more, but might not be anything to get concerned about.

 

Now, these you do need:

 

Internet Explorer 6 Service Pack 1:

http://www.microsoft.com/windows/ie/downlo...p1/default.mspx

 

Windows XP Service Pack 1a

http://www.microsoft.com/windowsxp/downloa...p1/default.mspx

Share this post


Link to post
Share on other sites
Sign in to follow this  

×