|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
![]() |
|
Topic Tools |
#1
|
|||
|
|||
MALWARE! Please help! HJ This logfile inside!
Logfile of HijackThis v1.99.1
Scan saved at 9:45:31 PM, on 10/30/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.EXE C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\ezSP_Px.exe C:\WINDOWS\Sonysys\Eflyer\EFlyer_Popup.exe C:\program files\support.com\client\bin\tgcmd.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\AIM95\aim.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Steam\Steam.exe C:\WINDOWS\Downloaded Program Files\html.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdochop.dll/defaultASX.htm#privacy_API; R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx Please help! |
#2
|
||||
|
||||
Please stop posting new topics bravesirrobin12, all that does is create confusion and duplication of effort.
Your Hijack This log are getting shorter each time you post. I hope you have not been fixing items yourself? Please repost your full log in this thread and also go here and download and run Silent Runners.vbs to your Desktop. It generates a log too. Please post the information back in this thread. If your AV queries the script, allow it to run. It's not malicious. |
#3
|
|||
|
|||
Logfile of HijackThis v1.99.1
Scan saved at 9:59:43 PM, on 10/30/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.EXE C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\ezSP_Px.exe C:\WINDOWS\Sonysys\Eflyer\EFlyer_Popup.exe C:\program files\support.com\client\bin\tgcmd.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\AIM95\aim.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Steam\Steam.exe C:\WINDOWS\Downloaded Program Files\html.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\System32\WScript.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdochop.dll/defaultASX.htm#privacy_API; R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing) O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing) O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe Sorry about the multiple posting, and I've kept the programs alone. |
#4
|
||||
|
||||
Is that your full log? If so, have you "fixed" any entries using Hijack This? Dont forget to post your Silent Runners log please.
|
#5
|
|||
|
|||
No, I haven't fixed any entries, and the Silent Runners log shows up as
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "AIM" = "C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl" ["America Online, Inc."] "MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [file not found] "Steam" = ""c:\program files\steam\steam.exe" -silent" ["Valve Corporation"] "areslite" = ""C:\Program Files\Ares Lite Edition\AresLite.exe" -h" [file not found] "PopUpStopperFreeEdition" = ""C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"" ["Panicware, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."] "ezShieldProtector for Px" = "C:\WINDOWS\System32\ezSP_Px.exe" ["Easy Systems Japan Ltd."] "VAIOSurvey" = "c:\program files\sony\vaio survey\surveysa.exe" ["Sony Electronics"] "ZZZ" = "C:\WINDOWS\Sonysys\Eflyer\EFlyer_Popup.exe" ["Sony Electronics Inc"] "ZTgServerSwitch" = ""c:\program files\support.com\client\bin\tgcmd.exe" /server" [file not found] "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"] "HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"] "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"] "ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"] "VAIO Recovery" = "C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" ["Sony Electronics Inc"] "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" ["Sun Microsystems, Inc."] "eAntiSpy" = "C:\Program Files\eAntiSpyTrial\Alert.exe" [file not found] "iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "FH" = "C:\WINDOWS\system32\svchop.exe home" [null data] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided) \StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {7C554162-8CB7-45A4-B8F4-8EA1C75885F9}\(Default) = "AOL Toolbar Launcher" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{3FCEF010-09A4-11D4-8D3B-D12F9D3D8B02}" = "TIShelEx Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\TISHAR~1\TICONN~1\TIShlExt.d ll" ["Texas Instruments Incorporated"] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] INFECTION WARNING! wincqt32\DLLName = "wincqt32.dll" [null data] HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Active Desktop web content: HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\1\ "FriendlyName" = "Warning homepage" "Source" = "C:\WINDOWS\warnhp.html" "SubscribedURL" = "" Startup items in "admin" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\admin\Start Menu\Programs\Startup "LimeWire On Startup" -> shortcut to: "C:\Program Files\LimeWire\LimeWire.exe -startup" ["Lime Wire, LLC"] C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Billminder" -> shortcut to: "C:\Program Files\Quicken\billmind.exe -startup" ["Intuit"] "eAntiSpy Diagnostics" -> shortcut to: "C:\Program Files\eAntiSpyTrial\Alert.exe /u" [file not found] "MA111 Configuration Utility" -> shortcut to: "C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe" [null data] "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS] INFECTION WARNING! "OSA.exe" [null data] "Quicken Scheduled Updates" -> shortcut to: "C:\Program Files\Quicken\bagent.exe" ["Intuit Inc."] "Quicken Startup" -> shortcut to: "C:\Program Files\Quicken\QWDLLS.EXE" ["Intuit"] Enabled Scheduled Tasks: ------------------------ "Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON ~2\Tasks\mycomp.sca" ["Symantec Corporation"] "Registration reminder 2" -> launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /r /n:2" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{DE9C389F-3316-41A7-809B-AA305ED9D922}" = "AOL Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" [file not found] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{DE9C389F-3316-41A7-809B-AA305ED9D922}" = "AOL Toolbar" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" [file not found] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {3369AF0D-62E9-4BDA-8103-B4C75499B578}\ "ButtonText" = "AOL Toolbar" "CLSIDExtension" = "{DE9C389F-3316-41A7-809B-AA305ED9D922}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" [file not found] {AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\ "ButtonText" = "AIM" "Exec" = "C:\PROGRA~1\AIM95\aim.exe" ["America Online, Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."] Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"] Norton Internet Security Accounts Manager, NISUM, ""C:\Program Files\Norton Internet Security\NISUM.EXE"" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] Symantec Proxy Service, ccPxySvc, ""C:\Program Files\Norton Internet Security\ccPxySvc.exe"" ["Symantec Corporation"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 11 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 20 seconds. ---------- (total run time: 77 seconds) |
#6
|
||||
|
||||
Yes I can see some baddies in your Silent Runners log. I can write a regedit to get rid of them but it really would be easier using Hijack This if we can. Try running it in Safe Mode.
To do this, restart your PC and tap F8 continuously as it restarts. Run Hijack This again now, save the log and post it here. |
#7
|
|||
|
|||
Logfile of HijackThis v1.99.1
Scan saved at 4:31:31 PM, on 10/31/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdochop.dll/defaultASX.htm#privacy_API; R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing) O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing) O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe O4 - HKLM\..\Run: [ZZZ] C:\WINDOWS\Sonysys\Eflyer\EFlyer_Popup.exe O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [eAntiSpy] C:\Program Files\eAntiSpyTrial\Alert.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [FH] C:\WINDOWS\system32\svchop.exe home O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe O4 - Global Startup: eAntiSpy Diagnostics.lnk = C:\Program Files\eAntiSpyTrial\Alert.exe O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: OSA.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129927676656 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: wincqt32 - C:\WINDOWS\SYSTEM32\wincqt32.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing) O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing) O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing) O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing) O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing) O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe Thank you in advance =) |
#8
|
||||
|
||||
Great. Download Pocket Killbox from here, unzip the file to your Desktop and have it ready to use.
Boot back into into Safe Mode and run Hijack This again. Check the below entries and click on Fix Checked. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdochop.dll/defaultASX.htm#privacy_API; O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing) O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing) O4 - HKLM\..\Run: [eAntiSpy] C:\Program Files\eAntiSpyTrial\Alert.exe O4 - HKLM\..\Run: [FH] C:\WINDOWS\system32\svchop.exe home O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h O4 - Global Startup: eAntiSpy Diagnostics.lnk = C:\Program Files\eAntiSpyTrial\Alert.exe O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing) O20 - Winlogon Notify: wincqt32 - C:\WINDOWS\SYSTEM32\wincqt32.dll Still in Safe Mode, run Killbox now. Copy and paste the full file path of the below files in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, click "Yes". Process and Reboot now?" Click "Yes" to reboot only after the last file you enter. C:\WINDOWS\system32\svchop.exe home C:\WINDOWS\SYSTEM32\wincqt32.dll Post a new Hijack This log and a new Silent Runners log please. Also make sure that you can view hidden files and folders, uncheck "Hide Extensions for Known File Types" and "Hide Protected Operating System Files". Now run a search for osa.exe. How many times did you find this file and post the full filepath of each please. |
#9
|
|||
|
|||
Logfile of HijackThis v1.99.1
Scan saved at 5:52:54 PM, on 10/31/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.EXE C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\ezSP_Px.exe C:\WINDOWS\Sonysys\Eflyer\EFlyer_Popup.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\AIM95\aim.exe C:\Program Files\iPod\bin\iPodService.exe C:\program files\steam\steam.exe C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE C:\Program Files\LimeWire\LimeWire.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe O4 - HKLM\..\Run: [ZZZ] C:\WINDOWS\Sonysys\Eflyer\EFlyer_Popup.exe O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: OSA.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129927676656 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing) O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing) O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing) O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing) O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing) O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe And the Silent Runners log is: "Silent Runners.vbs", revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "AIM" = "C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl" ["America Online, Inc."] "MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [file not found] "Steam" = ""c:\program files\steam\steam.exe" -silent" ["Valve Corporation"] "PopUpStopperFreeEdition" = ""C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"" ["Panicware, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."] "ezShieldProtector for Px" = "C:\WINDOWS\System32\ezSP_Px.exe" ["Easy Systems Japan Ltd."] "VAIOSurvey" = "c:\program files\sony\vaio survey\surveysa.exe" ["Sony Electronics"] "ZZZ" = "C:\WINDOWS\Sonysys\Eflyer\EFlyer_Popup.exe" ["Sony Electronics Inc"] "ZTgServerSwitch" = ""c:\program files\support.com\client\bin\tgcmd.exe" /server" [file not found] "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"] "HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"] "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"] "ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"] "VAIO Recovery" = "C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" ["Sony Electronics Inc"] "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" ["Sun Microsystems, Inc."] "iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided) \StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{3FCEF010-09A4-11D4-8D3B-D12F9D3D8B02}" = "TIShelEx Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\TISHAR~1\TICONN~1\TIShlExt.d ll" ["Texas Instruments Incorporated"] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Bliss.bmp" Startup items in "admin" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\admin\Start Menu\Programs\Startup "LimeWire On Startup" -> shortcut to: "C:\Program Files\LimeWire\LimeWire.exe -startup" ["Lime Wire, LLC"] C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Billminder" -> shortcut to: "C:\Program Files\Quicken\billmind.exe -startup" ["Intuit"] "MA111 Configuration Utility" -> shortcut to: "C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe" [null data] "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS] INFECTION WARNING! "OSA.exe" [null data] "Quicken Scheduled Updates" -> shortcut to: "C:\Program Files\Quicken\bagent.exe" ["Intuit Inc."] "Quicken Startup" -> shortcut to: "C:\Program Files\Quicken\QWDLLS.EXE" ["Intuit"] Enabled Scheduled Tasks: ------------------------ "Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON ~2\Tasks\mycomp.sca" ["Symantec Corporation"] "Registration reminder 2" -> launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /r /n:2" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{DE9C389F-3316-41A7-809B-AA305ED9D922}" = "AOL Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll" [file not found] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\ "ButtonText" = "AIM" "Exec" = "C:\PROGRA~1\AIM95\aim.exe" ["America Online, Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."] Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"] Norton Internet Security Accounts Manager, NISUM, ""C:\Program Files\Norton Internet Security\NISUM.EXE"" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] Symantec Proxy Service, ccPxySvc, ""C:\Program Files\Norton Internet Security\ccPxySvc.exe"" ["Symantec Corporation"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 54 seconds, including 4 seconds for message boxes) |
#10
|
||||
|
||||
Your log looks mostly fine now. We just need to check osa.exe and make sure that file is legitimate. Post back all the filepaths that you find please.
|
#11
|
|||
|
|||
It came up 4 times. The results were as followed:
OSA.EXE-1D703687.pf OSA.EXE-28494AD2.pf OSA (Application file) OSA (Application file) |
#12
|
||||
|
||||
Ok, the bottom two are the files I am interested in.
Quote:
|
#13
|
|||
|
|||
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
|
#14
|
||||
|
||||
Ok, it looks like there is a shortcut to osa.exe in that folder and an executable, osa.exe. Rightclick on the latter file and choose Copy. Open a new folder on your Desktop and paste the file inside it and zip it up. When you have done this, email it to me as attachment. My address is anniefriday@xtra.co.nz (include a link to this thread). I will post back when I have checked the file out.
|
#15
|
|||
|
|||
I sent the Email. Thanks again!
|
![]() |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
![]() |
||||
Topic | Topic Starter | Forum | Replies | Last Post |
Trojan/malware (hjt log inside) | UgaUga | Malware Removal | 27 | September 16th, 2008 08:35 PM |
Computer acting very strange.. logfile inside | no0b_wun | Malware Removal | 1 | February 5th, 2007 11:15 PM |
virus/malware inside explorer.exe? | cody1109 | Malware Removal | 12 | May 18th, 2005 10:55 PM |
major spyware probs...logfile inside | thor015 | Malware Removal | 48 | January 1st, 2005 01:14 AM |
Help with Sysai and other spyware...hijack this logfile inside | blrredreality | Malware Removal | 6 | April 27th, 2004 05:13 AM |
All times are GMT +1. The time now is 11:13 PM.