 |  |  |  |  |  |  |  |
I've got a nasti VX2 infection
 |
I managed to run findit in normal mode - had to wait about an hour to get the log. Also had no problems running hijackthis. However, it seems I'm having problem running silent runners. Their web site says that the script should not take more than some second to run and produce the log. I'm waiting already about an hour and still don't have the log. If I check in the Task Manager it says that the script is still running. Don't know what to do.
May be it is because the machine is still extremely slow.
Found another problem too - actually two of them. First, if I connect the PC to internet (to the cable) and opent IE and want to access for example www.yahoo.com, after a second the URL changes to something like
c:///%20www.yahoo.com and IE says page not found. If I type again www.yahoo.com IE crashes and closes.
Then the second thing I noticed was that if I go in the control panel and try to open Add/Remove Programs it opens an empty window which crashes/closes after half a minute. Something is really not as it is supposed to be in my computer.
Here I attach the logs from findit and hijackthis. If I manage to get the one from silen runners I'll add it later. Thanks for the help.
Findit:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Svilen\Apps\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
01/05/2005 09:33p <DIR> dllcache
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
05/10/2000 11:00p 397,312 Msrdo20.dll
03/13/2000 11:00p 151,552 Rdocurs.dll
9 File(s) 549,088 bytes
1 Dir(s) 20,485,458,432 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
01/08/2005 11:24p 33 FFASTLOG.TXT
01/05/2005 09:33p <DIR> dllcache
01/04/2005 06:53p 124 vsconfig.xml
07/14/2003 07:23p 4,212 zllictbl.dat
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
06/08/2003 11:04p <DIR> GroupPolicy
06/08/2003 10:55p 21,692 folder.htt
06/08/2003 10:55p 271 desktop.ini
12 File(s) 26,556 bytes
2 Dir(s) 20,485,449,216 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
------ Temp Files in System32 Directory ------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
12/07/1999 07:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 20,485,456,896 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"New Value #1"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------- Locate.com Results -------------
C:\WINNT\SYSTEM32\
ffastlog.txt Sat Jan 8 2005 11:24:04p A..H. 33 0.03 K
vsconfig.xml Tue Jan 4 2005 6:53:18p A..H. 124 0.12 K
2 items found: 2 files, 0 directories.
Total of file sizes: 157 bytes 0.15 K
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"tgcmdprovidersbc"=";\"c:\\program files\\support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf /nosystray"
"LTSMMSG"=";LTSMMSG.exe"
"ControlPanel"=";C:\\WINNT\\System32\\cmd32.exe internat.dll,LoadKeyboardProfile"
"Hcontrol"="C:\\WINNT\\Hcontrol.exe"
"SiS KHooker"=";C:\\WINNT\\System32\\khooker.exe"
"SoundMan"=";SOUNDMAN.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"EM_EXEC"=";C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\SymTray.exe SetReg"
"HPDJ Taskbar Utility"="C:\\WINNT\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"BJCFD"=";C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"ABREGMON"="C:\\Program Files\\MKS\\Bin\\ABregmon.exe"
Hijackthis:
Logfile of HijackThis v1.99.0
Scan saved at 1:16:10 PM, on 1/9/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
C:\Program Files\MKS\Bin\mksmonsv.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
c:\svilen\apps\psd14\lmgrd.exe
C:\WINNT\Hcontrol.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\MKS\Bin\ABregmon.exe
C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\ATKOSD.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\KEYBOARD\KEYBOARD Hotkey\Hotkey.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Svilen\Apps\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.48.49.94:8080
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmdprovidersbc] ;"c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [LTSMMSG] ;LTSMMSG.exe
O4 - HKLM\..\Run: [ControlPanel] ;C:\WINNT\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [Hcontrol] C:\WINNT\Hcontrol.exe
O4 - HKLM\..\Run: [SiS KHooker] ;C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] ;SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EM_EXEC] ;C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BJCFD] ;C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ABREGMON] C:\Program Files\MKS\Bin\ABregmon.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Hotkey.lnk = C:\Program Files\KEYBOARD\KEYBOARD Hotkey\Hotkey.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Svilen\Apps\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Svilen\Apps\NetTransport 2\NTAddLink.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\aklsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: (HKLM)
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/8/loader2.ocx
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.163.248/328//main.chm::/update.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3096BE2E-CB1E-4AC6-A6A4-724CE3C517EA}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{3096BE2E-CB1E-4AC6-A6A4-724CE3C517EA}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{3096BE2E-CB1E-4AC6-A6A4-724CE3C517EA}: NameServer = 192.168.1.1
O23 - Service: ArcaBit NetMonitor - ArcaBit sp. z o.o. - C:\Program Files\MKS\Bin\NetMonSV.exe
O23 - Service: AVP Control Centre Service - Kaspersky Labs. - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
O23 - Service: Cadence License Manager - Globetrotter Software Inc - c:\svilen\apps\psd14\lmgrd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Fix-It Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
O23 - Service: KAV Monitor Service - Kaspersky Labs. - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
O23 - Service: MkSUpdateInt - MkS Sp. z o. o. - C:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 - Service: mks_vir antivirus monitor - Unknown - C:\Program Files\MKS\Bin\mksmonsv.exe
O23 - Service: MkS_Scan - Unknown - C:\Program Files\MKS\Bin\mks_scan.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Portmap - Unknown - C:\WINNT\System32\portmap.exe (file missing)
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
May be it is because the machine is still extremely slow.
Found another problem too - actually two of them. First, if I connect the PC to internet (to the cable) and opent IE and want to access for example www.yahoo.com, after a second the URL changes to something like
c:///%20www.yahoo.com and IE says page not found. If I type again www.yahoo.com IE crashes and closes.
Then the second thing I noticed was that if I go in the control panel and try to open Add/Remove Programs it opens an empty window which crashes/closes after half a minute. Something is really not as it is supposed to be in my computer.
Here I attach the logs from findit and hijackthis. If I manage to get the one from silen runners I'll add it later. Thanks for the help.
Findit:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Svilen\Apps\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
01/05/2005 09:33p <DIR> dllcache
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
05/10/2000 11:00p 397,312 Msrdo20.dll
03/13/2000 11:00p 151,552 Rdocurs.dll
9 File(s) 549,088 bytes
1 Dir(s) 20,485,458,432 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
01/08/2005 11:24p 33 FFASTLOG.TXT
01/05/2005 09:33p <DIR> dllcache
01/04/2005 06:53p 124 vsconfig.xml
07/14/2003 07:23p 4,212 zllictbl.dat
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
06/08/2003 11:04p <DIR> GroupPolicy
06/08/2003 10:55p 21,692 folder.htt
06/08/2003 10:55p 271 desktop.ini
12 File(s) 26,556 bytes
2 Dir(s) 20,485,449,216 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
------ Temp Files in System32 Directory ------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
12/07/1999 07:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 20,485,456,896 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"New Value #1"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------- Locate.com Results -------------
C:\WINNT\SYSTEM32\
ffastlog.txt Sat Jan 8 2005 11:24:04p A..H. 33 0.03 K
vsconfig.xml Tue Jan 4 2005 6:53:18p A..H. 124 0.12 K
2 items found: 2 files, 0 directories.
Total of file sizes: 157 bytes 0.15 K
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"tgcmdprovidersbc"=";\"c:\\program files\\support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf /nosystray"
"LTSMMSG"=";LTSMMSG.exe"
"ControlPanel"=";C:\\WINNT\\System32\\cmd32.exe internat.dll,LoadKeyboardProfile"
"Hcontrol"="C:\\WINNT\\Hcontrol.exe"
"SiS KHooker"=";C:\\WINNT\\System32\\khooker.exe"
"SoundMan"=";SOUNDMAN.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"EM_EXEC"=";C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\SymTray.exe SetReg"
"HPDJ Taskbar Utility"="C:\\WINNT\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"BJCFD"=";C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"ABREGMON"="C:\\Program Files\\MKS\\Bin\\ABregmon.exe"
Hijackthis:
Logfile of HijackThis v1.99.0
Scan saved at 1:16:10 PM, on 1/9/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
C:\Program Files\MKS\Bin\mksmonsv.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
c:\svilen\apps\psd14\lmgrd.exe
C:\WINNT\Hcontrol.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\MKS\Bin\ABregmon.exe
C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\ATKOSD.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\KEYBOARD\KEYBOARD Hotkey\Hotkey.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Svilen\Apps\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.48.49.94:8080
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmdprovidersbc] ;"c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [LTSMMSG] ;LTSMMSG.exe
O4 - HKLM\..\Run: [ControlPanel] ;C:\WINNT\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [Hcontrol] C:\WINNT\Hcontrol.exe
O4 - HKLM\..\Run: [SiS KHooker] ;C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] ;SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EM_EXEC] ;C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BJCFD] ;C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ABREGMON] C:\Program Files\MKS\Bin\ABregmon.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Hotkey.lnk = C:\Program Files\KEYBOARD\KEYBOARD Hotkey\Hotkey.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Svilen\Apps\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Svilen\Apps\NetTransport 2\NTAddLink.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\aklsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: (HKLM)
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/8/loader2.ocx
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.163.248/328//main.chm::/update.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3096BE2E-CB1E-4AC6-A6A4-724CE3C517EA}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{3096BE2E-CB1E-4AC6-A6A4-724CE3C517EA}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{3096BE2E-CB1E-4AC6-A6A4-724CE3C517EA}: NameServer = 192.168.1.1
O23 - Service: ArcaBit NetMonitor - ArcaBit sp. z o.o. - C:\Program Files\MKS\Bin\NetMonSV.exe
O23 - Service: AVP Control Centre Service - Kaspersky Labs. - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
O23 - Service: Cadence License Manager - Globetrotter Software Inc - c:\svilen\apps\psd14\lmgrd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Fix-It Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
O23 - Service: KAV Monitor Service - Kaspersky Labs. - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
O23 - Service: MkSUpdateInt - MkS Sp. z o. o. - C:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 - Service: mks_vir antivirus monitor - Unknown - C:\Program Files\MKS\Bin\mksmonsv.exe
O23 - Service: MkS_Scan - Unknown - C:\Program Files\MKS\Bin\mks_scan.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Portmap - Unknown - C:\WINNT\System32\portmap.exe (file missing)
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
•
•
Join Date: Feb 2004
Posts: 10,110
Reputation: 
Solved Threads: 768
Could have the culprit here 
.
Download LSPfix from here
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "aklsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.
Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [ControlPanel] ;C:\WINNT\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O15 - Trusted IP range: (HKLM)
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/8/loader2.ocx
Topconverting Adware
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.163.248/328//main.chm::/update.exe
Adult Content Dialer
O23 - Service: Portmap - Unknown - C:\WINNT\System32\portmap.exe (file missing)
Reboot into safe mode following the instructions here and navigate to and delete the following if found:
C:\WINNT\System32\cmd32.exe<----file
c:\winnt\system32\aklsp.dll<----file
Reboot normally after doing the above, rescan with hijackthis, then post that log here please.
.Download LSPfix from here
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "aklsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.
Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [ControlPanel] ;C:\WINNT\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O15 - Trusted IP range: (HKLM)
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/8/loader2.ocx
Topconverting Adware
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.163.248/328//main.chm::/update.exe
Adult Content Dialer
O23 - Service: Portmap - Unknown - C:\WINNT\System32\portmap.exe (file missing)
Reboot into safe mode following the instructions here and navigate to and delete the following if found:
C:\WINNT\System32\cmd32.exe<----file
c:\winnt\system32\aklsp.dll<----file
Reboot normally after doing the above, rescan with hijackthis, then post that log here please.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Crunchie,
I followed your instructions. After I rebooted in safe mode there were no instances of the files you mentioned. There is a file called cmdl32.exe which I left untouched.
Yesterday, I found out that my computer was slowed down by lmgrd.exe which is a licence daemon for flexlm. It was occupying close to 100% of the CPU. I renamed the file, so it is not loaded at start up now and the computer runs ok in terms of speed
Where are you? At about what time to you go online here? Just to know when I can expect to "see" you.
Here again are my findit and hijackthis files. Thanks.
Find_it:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Svilen\Apps\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
01/05/2005 09:33p <DIR> dllcache
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
05/10/2000 11:00p 397,312 Msrdo20.dll
03/13/2000 11:00p 151,552 Rdocurs.dll
9 File(s) 549,088 bytes
1 Dir(s) 20,636,644,864 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
01/10/2005 09:25a 484 FFASTLOG.TXT
01/05/2005 09:33p <DIR> dllcache
01/04/2005 06:53p 124 vsconfig.xml
07/14/2003 07:23p 4,212 zllictbl.dat
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
06/08/2003 11:04p <DIR> GroupPolicy
06/08/2003 10:55p 21,692 folder.htt
06/08/2003 10:55p 271 desktop.ini
12 File(s) 27,007 bytes
2 Dir(s) 20,636,635,648 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
------ Temp Files in System32 Directory ------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
12/07/1999 07:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 20,636,643,328 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"sbcydsl 3.12"="sbcydsl 3.12"
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"New Value #1"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------- Locate.com Results -------------
C:\WINNT\SYSTEM32\
ffastlog.txt Mon Jan 10 2005 9:25:40a A..H. 484 0.47 K
vsconfig.xml Tue Jan 4 2005 6:53:18p A..H. 124 0.12 K
2 items found: 2 files, 0 directories.
Total of file sizes: 608 bytes 0.59 K
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"tgcmdprovidersbc"="\"c:\\program files\\support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf /nosystray"
"LTSMMSG"="LTSMMSG.exe"
"Hcontrol"="C:\\WINNT\\Hcontrol.exe"
"SiS KHooker"="C:\\WINNT\\System32\\khooker.exe"
"SoundMan"="SOUNDMAN.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"EM_EXEC"="C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\SymTray.exe SetReg"
"HPDJ Taskbar Utility"="C:\\WINNT\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"ABREGMON"="C:\\Program Files\\MKS\\Bin\\ABregmon.exe"
Hijackthis:
Logfile of HijackThis v1.99.0
Scan saved at 9:35:27 AM, on 1/10/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\MKS\Bin\NetMonSV.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\Program Files\MKS\Bin\mksmonsv.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\program files\support.com\bin\tgcmd.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\Hcontrol.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\ATKOSD.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\MKS\Bin\ABregmon.exe
C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\KEYBOARD\KEYBOARD Hotkey\Hotkey.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Svilen\Apps\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyds...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyds...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.48.49.94:8080
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Hcontrol] C:\WINNT\Hcontrol.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ABREGMON] C:\Program Files\MKS\Bin\ABregmon.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Hotkey.lnk = C:\Program Files\KEYBOARD\KEYBOARD Hotkey\Hotkey.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Svilen\Apps\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Svilen\Apps\NetTransport 2\NTAddLink.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/8/loader2.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E47F290-75F5-4CFB-A827-BAB20551539C}: NameServer = 151.164.1.8,206.13.28.12
O23 - Service: ArcaBit NetMonitor - ArcaBit sp. z o.o. - C:\Program Files\MKS\Bin\NetMonSV.exe
O23 - Service: Cadence License Manager - Unknown - c:\svilen\apps\psd14\lmgrd.exe (file missing)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Fix-It Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
O23 - Service: MkSUpdateInt - MkS Sp. z o. o. - C:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 - Service: mks_vir antivirus monitor - Unknown - C:\Program Files\MKS\Bin\mksmonsv.exe
O23 - Service: MkS_Scan - Unknown - C:\Program Files\MKS\Bin\mks_scan.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
I followed your instructions. After I rebooted in safe mode there were no instances of the files you mentioned. There is a file called cmdl32.exe which I left untouched.
Yesterday, I found out that my computer was slowed down by lmgrd.exe which is a licence daemon for flexlm. It was occupying close to 100% of the CPU. I renamed the file, so it is not loaded at start up now and the computer runs ok in terms of speed
Where are you? At about what time to you go online here? Just to know when I can expect to "see" you.
Here again are my findit and hijackthis files. Thanks.
Find_it:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Svilen\Apps\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
01/05/2005 09:33p <DIR> dllcache
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
05/10/2000 11:00p 397,312 Msrdo20.dll
03/13/2000 11:00p 151,552 Rdocurs.dll
9 File(s) 549,088 bytes
1 Dir(s) 20,636,644,864 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
01/10/2005 09:25a 484 FFASTLOG.TXT
01/05/2005 09:33p <DIR> dllcache
01/04/2005 06:53p 124 vsconfig.xml
07/14/2003 07:23p 4,212 zllictbl.dat
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
06/08/2003 11:04p <DIR> GroupPolicy
06/08/2003 10:55p 21,692 folder.htt
06/08/2003 10:55p 271 desktop.ini
12 File(s) 27,007 bytes
2 Dir(s) 20,636,635,648 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
------ Temp Files in System32 Directory ------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
12/07/1999 07:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 20,636,643,328 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"sbcydsl 3.12"="sbcydsl 3.12"
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"New Value #1"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------- Locate.com Results -------------
C:\WINNT\SYSTEM32\
ffastlog.txt Mon Jan 10 2005 9:25:40a A..H. 484 0.47 K
vsconfig.xml Tue Jan 4 2005 6:53:18p A..H. 124 0.12 K
2 items found: 2 files, 0 directories.
Total of file sizes: 608 bytes 0.59 K
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"tgcmdprovidersbc"="\"c:\\program files\\support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf /nosystray"
"LTSMMSG"="LTSMMSG.exe"
"Hcontrol"="C:\\WINNT\\Hcontrol.exe"
"SiS KHooker"="C:\\WINNT\\System32\\khooker.exe"
"SoundMan"="SOUNDMAN.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"EM_EXEC"="C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\SymTray.exe SetReg"
"HPDJ Taskbar Utility"="C:\\WINNT\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"ABREGMON"="C:\\Program Files\\MKS\\Bin\\ABregmon.exe"
Hijackthis:
Logfile of HijackThis v1.99.0
Scan saved at 9:35:27 AM, on 1/10/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\MKS\Bin\NetMonSV.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\Program Files\MKS\Bin\mksmonsv.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\program files\support.com\bin\tgcmd.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\Hcontrol.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\ATKOSD.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\MKS\Bin\ABregmon.exe
C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\KEYBOARD\KEYBOARD Hotkey\Hotkey.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Svilen\Apps\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyds...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyds...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.48.49.94:8080
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Hcontrol] C:\WINNT\Hcontrol.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ABREGMON] C:\Program Files\MKS\Bin\ABregmon.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Hotkey.lnk = C:\Program Files\KEYBOARD\KEYBOARD Hotkey\Hotkey.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Svilen\Apps\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Svilen\Apps\NetTransport 2\NTAddLink.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/8/loader2.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E47F290-75F5-4CFB-A827-BAB20551539C}: NameServer = 151.164.1.8,206.13.28.12
O23 - Service: ArcaBit NetMonitor - ArcaBit sp. z o.o. - C:\Program Files\MKS\Bin\NetMonSV.exe
O23 - Service: Cadence License Manager - Unknown - c:\svilen\apps\psd14\lmgrd.exe (file missing)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Fix-It Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
O23 - Service: MkSUpdateInt - MkS Sp. z o. o. - C:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 - Service: mks_vir antivirus monitor - Unknown - C:\Program Files\MKS\Bin\mksmonsv.exe
O23 - Service: MkS_Scan - Unknown - C:\Program Files\MKS\Bin\mks_scan.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
•
•
Join Date: Feb 2004
Posts: 10,110
Reputation:
Solved Threads: 768
Looks like you missed one.
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/8/loader2.ocx
-Topconverting Adware
Download, install and keep updated, Spywareblaster from www.javacoolsoftware.com to help keep your system clean.
I'm in Australia and normally get on-line about 5.30PM +8 hours Greenwich Mean Time.
The cmdl.exe file is legitimate.
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/8/loader2.ocx
-Topconverting Adware
Download, install and keep updated, Spywareblaster from www.javacoolsoftware.com to help keep your system clean.
I'm in Australia and normally get on-line about 5.30PM +8 hours Greenwich Mean Time.
The cmdl.exe file is legitimate.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
OK, I cleaned that one too.
However, I still can't connect to internet. I reinstalled my ISP's s/w and I can connect to their server, but when I type for example www.yahoo.com in IE, it returns "page not found". Basically, the same is the effect if I use mozilla. Do you think it's a good idea to reinstall W2K over the present installation - I may have problems with this since I have SP3 installed on the computer and the installation cd is older than that.
But at least now when I open Add/Remove Programs it doesn't crash :-)
One more thing. In terms of protecting my computer against viruses, adware, spyware etc., putting a firewall, what software would you recommend to install?
You know, when I was downloading spywareblaster, I got the message
"Spybot reports that you want to download "Avenue A, Inc.". This is a known threat. Do you want to Bloc this". I say "yes" to block it, but now everytime I open a new page I get this message. There's something sitting in my computer (this is the desktop now, not the laptop). The same is reported for something called "DoubleClick"
I'm in California, so time difference is big :-)
Here are again my last finit and hijackthis logs:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Svilen\Apps\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
01/05/2005 09:33p <DIR> dllcache
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
05/10/2000 11:00p 397,312 Msrdo20.dll
03/13/2000 11:00p 151,552 Rdocurs.dll
9 File(s) 549,088 bytes
1 Dir(s) 20,638,195,712 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
01/11/2005 08:54a 517 FFASTLOG.TXT
01/05/2005 09:33p <DIR> dllcache
01/04/2005 06:53p 124 vsconfig.xml
07/14/2003 07:23p 4,212 zllictbl.dat
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
06/08/2003 11:04p <DIR> GroupPolicy
06/08/2003 10:55p 21,692 folder.htt
06/08/2003 10:55p 271 desktop.ini
12 File(s) 27,040 bytes
2 Dir(s) 20,638,186,496 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
------ Temp Files in System32 Directory ------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
12/07/1999 07:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 20,638,194,176 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"sbcydsl 3.12"="sbcydsl 3.12"
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"New Value #1"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------- Locate.com Results -------------
C:\WINNT\SYSTEM32\
ffastlog.txt Tue Jan 11 2005 8:55:00a A..H. 517 0.50 K
vsconfig.xml Tue Jan 4 2005 6:53:18p A..H. 124 0.12 K
2 items found: 2 files, 0 directories.
Total of file sizes: 641 bytes 0.63 K
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"tgcmdprovidersbc"="\"c:\\program files\\support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf /nosystray"
"LTSMMSG"="LTSMMSG.exe"
"Hcontrol"="C:\\WINNT\\Hcontrol.exe"
"SiS KHooker"="C:\\WINNT\\System32\\khooker.exe"
"SoundMan"="SOUNDMAN.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"EM_EXEC"="C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\SymTray.exe SetReg"
"HPDJ Taskbar Utility"="C:\\WINNT\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"ABREGMON"="C:\\Program Files\\MKS\\Bin\\ABregmon.exe"
Logfile of HijackThis v1.99.0
Scan saved at 9:12:18 AM, on 1/11/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\MKS\Bin\NetMonSV.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\Program Files\MKS\Bin\mksmonsv.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\program files\support.com\bin\tgcmd.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\Hcontrol.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\ATKOSD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\MKS\Bin\ABregmon.exe
C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\KEYBOARD\KEYBOARD Hotkey\Hotkey.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\system32\ntvdm.exe
C:\Svilen\Apps\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyds...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyds...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.48.49.94:8080
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Hcontrol] C:\WINNT\Hcontrol.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ABREGMON] C:\Program Files\MKS\Bin\ABregmon.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Hotkey.lnk = C:\Program Files\KEYBOARD\KEYBOARD Hotkey\Hotkey.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Svilen\Apps\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Svilen\Apps\NetTransport 2\NTAddLink.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E47F290-75F5-4CFB-A827-BAB20551539C}: NameServer = 151.164.1.8,206.13.28.12
O23 - Service: ArcaBit NetMonitor - ArcaBit sp. z o.o. - C:\Program Files\MKS\Bin\NetMonSV.exe
O23 - Service: Cadence License Manager - Unknown - c:\svilen\apps\psd14\lmgrd.exe (file missing)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Fix-It Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
O23 - Service: MkSUpdateInt - MkS Sp. z o. o. - C:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 - Service: mks_vir antivirus monitor - Unknown - C:\Program Files\MKS\Bin\mksmonsv.exe
O23 - Service: MkS_Scan - Unknown - C:\Program Files\MKS\Bin\mks_scan.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
Thanks for the help
However, I still can't connect to internet. I reinstalled my ISP's s/w and I can connect to their server, but when I type for example www.yahoo.com in IE, it returns "page not found". Basically, the same is the effect if I use mozilla. Do you think it's a good idea to reinstall W2K over the present installation - I may have problems with this since I have SP3 installed on the computer and the installation cd is older than that.
But at least now when I open Add/Remove Programs it doesn't crash :-)
One more thing. In terms of protecting my computer against viruses, adware, spyware etc., putting a firewall, what software would you recommend to install?
You know, when I was downloading spywareblaster, I got the message
"Spybot reports that you want to download "Avenue A, Inc.". This is a known threat. Do you want to Bloc this". I say "yes" to block it, but now everytime I open a new page I get this message. There's something sitting in my computer (this is the desktop now, not the laptop). The same is reported for something called "DoubleClick"
I'm in California, so time difference is big :-)
Here are again my last finit and hijackthis logs:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Svilen\Apps\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
01/05/2005 09:33p <DIR> dllcache
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
05/10/2000 11:00p 397,312 Msrdo20.dll
03/13/2000 11:00p 151,552 Rdocurs.dll
9 File(s) 549,088 bytes
1 Dir(s) 20,638,195,712 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
01/11/2005 08:54a 517 FFASTLOG.TXT
01/05/2005 09:33p <DIR> dllcache
01/04/2005 06:53p 124 vsconfig.xml
07/14/2003 07:23p 4,212 zllictbl.dat
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
06/08/2003 11:04p <DIR> GroupPolicy
06/08/2003 10:55p 21,692 folder.htt
06/08/2003 10:55p 271 desktop.ini
12 File(s) 27,040 bytes
2 Dir(s) 20,638,186,496 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
------ Temp Files in System32 Directory ------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
12/07/1999 07:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 20,638,194,176 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"sbcydsl 3.12"="sbcydsl 3.12"
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"New Value #1"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------- Locate.com Results -------------
C:\WINNT\SYSTEM32\
ffastlog.txt Tue Jan 11 2005 8:55:00a A..H. 517 0.50 K
vsconfig.xml Tue Jan 4 2005 6:53:18p A..H. 124 0.12 K
2 items found: 2 files, 0 directories.
Total of file sizes: 641 bytes 0.63 K
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"tgcmdprovidersbc"="\"c:\\program files\\support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf /nosystray"
"LTSMMSG"="LTSMMSG.exe"
"Hcontrol"="C:\\WINNT\\Hcontrol.exe"
"SiS KHooker"="C:\\WINNT\\System32\\khooker.exe"
"SoundMan"="SOUNDMAN.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"EM_EXEC"="C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\SymTray.exe SetReg"
"HPDJ Taskbar Utility"="C:\\WINNT\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"ABREGMON"="C:\\Program Files\\MKS\\Bin\\ABregmon.exe"
Logfile of HijackThis v1.99.0
Scan saved at 9:12:18 AM, on 1/11/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\MKS\Bin\NetMonSV.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\Program Files\MKS\Bin\mksmonsv.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\program files\support.com\bin\tgcmd.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\Hcontrol.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\ATKOSD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\MKS\Bin\ABregmon.exe
C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\KEYBOARD\KEYBOARD Hotkey\Hotkey.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\system32\ntvdm.exe
C:\Svilen\Apps\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyds...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyds...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcyds...oo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.48.49.94:8080
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Hcontrol] C:\WINNT\Hcontrol.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ABREGMON] C:\Program Files\MKS\Bin\ABregmon.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Hotkey.lnk = C:\Program Files\KEYBOARD\KEYBOARD Hotkey\Hotkey.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Svilen\Apps\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Svilen\Apps\NetTransport 2\NTAddLink.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E47F290-75F5-4CFB-A827-BAB20551539C}: NameServer = 151.164.1.8,206.13.28.12
O23 - Service: ArcaBit NetMonitor - ArcaBit sp. z o.o. - C:\Program Files\MKS\Bin\NetMonSV.exe
O23 - Service: Cadence License Manager - Unknown - c:\svilen\apps\psd14\lmgrd.exe (file missing)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Fix-It Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
O23 - Service: MkSUpdateInt - MkS Sp. z o. o. - C:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 - Service: mks_vir antivirus monitor - Unknown - C:\Program Files\MKS\Bin\mksmonsv.exe
O23 - Service: MkS_Scan - Unknown - C:\Program Files\MKS\Bin\mks_scan.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
Thanks for the help
•
•
Join Date: Feb 2004
Posts: 10,110
Reputation:
Solved Threads: 768
Crunchie,
I think I'm nearing the end of this, so please bear with me just a bit more. I appreciate your help.
I ran LSPFix the way you said. There was nothing in the left window. After pressing Finish the massage said:
Repairs complete
0 NameSpace provider entries removed
0 NameSpace provider entries renumbered
0 Protocol provider entires removed
0 Protocol provider entires renumbered
I ran also IEFIX, but unfortunately this didn't solve the problem. Still can not search in internet. I don't think it is an IE problem. If I use Mozilla, the result is the same.
Do you think it's a good idea to reinstall W2K over the present installation - I may have problems with this since I have SP3 installed on the computer and the installation cd is older than that.
One more thing. In terms of protecting my computer against viruses, adware, spyware etc., putting a firewall, what software would you recommend to install?
Here once again are my findit and hijackthis files:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Svilen\Apps\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
01/12/2005 09:35a <DIR> dllcache
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
05/10/2000 11:00p 397,312 Msrdo20.dll
03/13/2000 11:00p 151,552 Rdocurs.dll
9 File(s) 549,088 bytes
1 Dir(s) 20,499,070,976 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
01/12/2005 08:06p 716 FFASTLOG.TXT
01/12/2005 09:35a <DIR> dllcache
01/04/2005 06:53p 124 vsconfig.xml
07/14/2003 07:23p 4,212 zllictbl.dat
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
06/08/2003 11:04p <DIR> GroupPolicy
06/08/2003 10:55p 21,692 folder.htt
06/08/2003 10:55p 271 desktop.ini
12 File(s) 27,239 bytes
2 Dir(s) 20,499,061,760 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
------ Temp Files in System32 Directory ------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
12/07/1999 07:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 20,499,069,440 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"sbcydsl 3.12"="sbcydsl 3.12"
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"New Value #1"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------- Locate.com Results -------------
C:\WINNT\SYSTEM32\
ffastlog.txt Wed Jan 12 2005 8:06:46p A..H. 716 0.70 K
vsconfig.xml Tue Jan 4 2005 6:53:18p A..H. 124 0.12 K
2 items found: 2 files, 0 directories.
Total of file sizes: 840 bytes 0.82 K
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"tgcmdprovidersbc"="\"c:\\program files\\support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf /nosystray"
"LTSMMSG"="LTSMMSG.exe"
"Hcontrol"="C:\\WINNT\\Hcontrol.exe"
"SiS KHooker"="C:\\WINNT\\System32\\khooker.exe"
"SoundMan"="SOUNDMAN.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"EM_EXEC"="C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\SymTray.exe SetReg"
"HPDJ Taskbar Utility"="C:\\WINNT\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"ABREGMON"="C:\\Program Files\\MKS\\Bin\\ABregmon.exe"
Logfile of HijackThis v1.99.0
Scan saved at 8:38:55 PM, on 1/12/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\MKS\Bin\NetMonSV.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\Program Files\MKS\Bin\mksmonsv.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\program files\support.com\bin\tgcmd.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\Hcontrol.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\ATKOSD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\MKS\Bin\ABregmon.exe
C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\KEYBOARD\KEYBOARD Hotkey\Hotkey.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\system32\ntvdm.exe
C:\Svilen\Apps\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyds...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyds...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.48.49.94:8080
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Hcontrol] C:\WINNT\Hcontrol.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ABREGMON] C:\Program Files\MKS\Bin\ABregmon.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Hotkey.lnk = C:\Program Files\KEYBOARD\KEYBOARD Hotkey\Hotkey.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Svilen\Apps\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Svilen\Apps\NetTransport 2\NTAddLink.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E47F290-75F5-4CFB-A827-BAB20551539C}: NameServer = 151.164.1.8,206.13.28.12
O23 - Service: ArcaBit NetMonitor - ArcaBit sp. z o.o. - C:\Program Files\MKS\Bin\NetMonSV.exe
O23 - Service: Cadence License Manager - Unknown - c:\svilen\apps\psd14\lmgrd.exe (file missing)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Fix-It Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
O23 - Service: MkSUpdateInt - MkS Sp. z o. o. - C:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 - Service: mks_vir antivirus monitor - Unknown - C:\Program Files\MKS\Bin\mksmonsv.exe
O23 - Service: MkS_Scan - Unknown - C:\Program Files\MKS\Bin\mks_scan.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
I think I'm nearing the end of this, so please bear with me just a bit more. I appreciate your help.
I ran LSPFix the way you said. There was nothing in the left window. After pressing Finish the massage said:
Repairs complete
0 NameSpace provider entries removed
0 NameSpace provider entries renumbered
0 Protocol provider entires removed
0 Protocol provider entires renumbered
I ran also IEFIX, but unfortunately this didn't solve the problem. Still can not search in internet. I don't think it is an IE problem. If I use Mozilla, the result is the same.
Do you think it's a good idea to reinstall W2K over the present installation - I may have problems with this since I have SP3 installed on the computer and the installation cd is older than that.
One more thing. In terms of protecting my computer against viruses, adware, spyware etc., putting a firewall, what software would you recommend to install?
Here once again are my findit and hijackthis files:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Svilen\Apps\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
01/12/2005 09:35a <DIR> dllcache
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
05/10/2000 11:00p 397,312 Msrdo20.dll
03/13/2000 11:00p 151,552 Rdocurs.dll
9 File(s) 549,088 bytes
1 Dir(s) 20,499,070,976 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
01/12/2005 08:06p 716 FFASTLOG.TXT
01/12/2005 09:35a <DIR> dllcache
01/04/2005 06:53p 124 vsconfig.xml
07/14/2003 07:23p 4,212 zllictbl.dat
06/10/2003 10:38a 32 {CF29D4AD-1F3D-492E-A227-5787F489A6E6}.dat
06/10/2003 10:37a 32 {287F7370-0A12-47F2-9F40-2FFDB245C853}.dat
06/10/2003 10:36a 32 {ED8C094E-6A69-4860-AC0F-C6E3B91A3341}.dat
06/10/2003 10:36a 32 {189B658B-CDA1-450A-98EC-1874B31D592A}.dat
06/10/2003 10:36a 32 {4B148977-E564-4BD0-B638-DFB135EAFE11}.dat
06/10/2003 10:36a 32 {0037823A-9B4B-4418-94D9-7CBC61EDC20A}.dat
06/10/2003 10:35a 32 {0C828796-5EF1-49F1-BF36-2FA0F77C420F}.dat
06/08/2003 11:04p <DIR> GroupPolicy
06/08/2003 10:55p 21,692 folder.htt
06/08/2003 10:55p 271 desktop.ini
12 File(s) 27,239 bytes
2 Dir(s) 20,499,061,760 bytes free
------------ Files Named "Guard" ---------------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
------ Temp Files in System32 Directory ------
Volume in drive C is SYSTEM
Volume Serial Number is 0CD7-2490
Directory of C:\WINNT\System32
12/07/1999 07:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 20,499,069,440 bytes free
------------------ User Agent ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"sbcydsl 3.12"="sbcydsl 3.12"
------------- Keys Under Notify -------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"New Value #1"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------- Locate.com Results -------------
C:\WINNT\SYSTEM32\
ffastlog.txt Wed Jan 12 2005 8:06:46p A..H. 716 0.70 K
vsconfig.xml Tue Jan 4 2005 6:53:18p A..H. 124 0.12 K
2 items found: 2 files, 0 directories.
Total of file sizes: 840 bytes 0.82 K
-------- Strings.exe Qoologic Results --------
--------- Strings.exe Aspack Results ---------
-------------- HKLM Run Key ----------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"tgcmdprovidersbc"="\"c:\\program files\\support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf /nosystray"
"LTSMMSG"="LTSMMSG.exe"
"Hcontrol"="C:\\WINNT\\Hcontrol.exe"
"SiS KHooker"="C:\\WINNT\\System32\\khooker.exe"
"SoundMan"="SOUNDMAN.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"EM_EXEC"="C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\SymTray.exe SetReg"
"HPDJ Taskbar Utility"="C:\\WINNT\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"ABREGMON"="C:\\Program Files\\MKS\\Bin\\ABregmon.exe"
Logfile of HijackThis v1.99.0
Scan saved at 8:38:55 PM, on 1/12/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\MKS\Bin\NetMonSV.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
C:\Program Files\MKS\Bin\mksmonsv.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\program files\support.com\bin\tgcmd.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\Hcontrol.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\ATKOSD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\MKS\Bin\ABregmon.exe
C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\KEYBOARD\KEYBOARD Hotkey\Hotkey.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\system32\ntvdm.exe
C:\Svilen\Apps\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyds...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyds...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyds.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.48.49.94:8080
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Hcontrol] C:\WINNT\Hcontrol.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ABREGMON] C:\Program Files\MKS\Bin\ABregmon.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Hotkey.lnk = C:\Program Files\KEYBOARD\KEYBOARD Hotkey\Hotkey.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Svilen\Apps\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Svilen\Apps\NetTransport 2\NTAddLink.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E47F290-75F5-4CFB-A827-BAB20551539C}: NameServer = 151.164.1.8,206.13.28.12
O23 - Service: ArcaBit NetMonitor - ArcaBit sp. z o.o. - C:\Program Files\MKS\Bin\NetMonSV.exe
O23 - Service: Cadence License Manager - Unknown - c:\svilen\apps\psd14\lmgrd.exe (file missing)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Fix-It Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
O23 - Service: MkSUpdateInt - MkS Sp. z o. o. - C:\Program Files\MKS\bin\MkSUpdateInt.exe
O23 - Service: mks_vir antivirus monitor - Unknown - C:\Program Files\MKS\Bin\mksmonsv.exe
O23 - Service: MkS_Scan - Unknown - C:\Program Files\MKS\Bin\mks_scan.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
|
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Slow computer + about:blank homepage
- Next Thread: xadssjt-a.offer
Views: 9003 | Replies: 30
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
acrobat adobe adware anti-malware anti-virussitesaccessissue antivirus attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime ddos domains e-mafia education email europe exam exploit fake fancheckvirus gaming gumblar halloween herss.exe hijack hosting internet kaspersky legal mail malware mcafee mega-d messagelabs microsoft mobile nazi news obama onlinethreats paedophile parents patch pc phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect reliability report research risk rogueantivirus rootkit samhain sans school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec threat trojan unwanted update usa virus viruses vista volume war warning windows worm yahoo zero-day zeroday
