Please Revise My Processes and whatnot
-
Please Revise My Processes and whatnot
Well, I know I have virus problems and I am hoping I can get some help from you guys! ANY help would be appreciated. I already got rid of a few problems I was having, I just want you guys to look over and check what I missed, because I know I missed a ton! This is my computer with nothing but Norton and SpyBot TeaTimer running.
_________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 2:52:15 AM, on 7/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Adam\My Documents\Downloads\Fixing Things\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50212
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C044AAD-7955-4cbd-8175-501A165C4E5D} - C:\WINDOWS\System32\req.dat (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Speech\dbmc.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://www.freewebs.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v6.cab
O20 - Winlogon Notify: dbmc - C:\WINDOWS\Speech\dbmc.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: req - C:\WINDOWS\System32\req.dat (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
_________________________________________________
-
Oh, I almost forgot to ask about a program! I download off of BitTorrent quite a bit and I was wondering if my client was adware/spyware/virus/trojan/worm free. The client I use is ABC. Thanks! 
Last edited by Saiyan Eye; 13-07-2005 at 08:03 PM.
-
It's okay, you guys can take your time, I understand that you have other things to do.
-
########################################
ServiceFilter 1.1
by rand1038
Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 1
Jul 13, 2005 2:09:07 PM
---> Begin Service Listing <---
Unknown Service # 1
Service Name: Adobe LM Service
Display Name: Adobe LM Service
Start Mode: Manual
Start Name: LocalSystem
Description: AdobeLM ...
Service Type: Own Process
Path: "c:\program files\common files\adobe systems shared\service\adobelmsvc.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Unknown Service # 2
Service Name: Brother XP spl Service
Display Name: BrSplService
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\brsvc01a.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Unknown Service # 3
Service Name: Ftdscmp0
Display Name: Ftdscmp0
Start Mode: Disabled
Start Name:
Description: ...
Service Type: Share Process
Path:
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Unknown Service # 4
Service Name: IDriverT
Display Name: InstallDriver Table Manager
Start Mode: Manual
Start Name: LocalSystem
Description: Provides support for the Running Object Table for InstallShield ...
Service Type: Own Process
Path: c:\program files\common files\installshield\driver\1050\intel 32\idrivert.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Unknown Service # 5
Service Name: NPFMntor
Display Name: Norton AntiVirus Firewall Monitor Service
Start Mode: Auto
Start Name: LocalSystem
Description: Detects installation of Symantec Firewall ...
Service Type: Own Process
Path: c:\program files\norton antivirus\iwp\npfmntor.exe
State: Running
Process ID: 1416
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Unknown Service #6
Service Name: SAVScan
Display Name: SAVScan
Start Mode: Manual
Start Name: LocalSystem
Description: Handles Norton AntiVirus Auto-Protect Archive ...
Service Type: Own Process
Path: c:\program files\norton antivirus\savscan.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Unknown Service #7
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Disabled
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{4940899a-4026-495c-a324-0214eaf13c95}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Unknown Service # 8
Service Name: UleadBurningHelper
Display Name: Ulead Burning Helper
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Unknown Service # 9
Service Name: UserAccess7
Display Name: SecuROM User Access Service (V7)
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\uaservice7.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
---> End Service Listing <---
There are 101 Win32 services on this machine.
9 were unrecognized.
Script Execution Time: 24.70313 seconds.
-
Hello,Saiyan Eye & Welcome
Hi,
We will need to remove the vundo infection manually. Please print these directions and then proceed with the following steps in order.
Step #1
Please download Process Explorer by Sysinternals and unzip it to your desktop.
Also download Killbox by Option^Explicit and unzip it to your desktop.
Step #2
Open Notepad and copy/paste the text in the quotebox below into the new document:
Quote:
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB 5-BD7D-4D49-A1AA-8AB0F3D3CB44}]
[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]
[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts.1]
Save the document to your desktop as fixvundo.reg and close Notepad.
Step #3
The rest of this fix must be done in safe mode.
Make sure you have printed out these instructions as you will not have Internet Access for the rest of this fix.
Start in Safe Mode Using the F8 method:
* Restart the computer.
* As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
* Use the arrow keys to select the Safe Mode menu item.
* Press the Enter key.
Locate procexp.exe on your desktop and double-click it to start Process Explorer.
In the top section of the Process Exlporer screen double-click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
Once you see this screen click on each instance of dbmc.dll once and then click the kill button.
After you have killed all of the dbmc.dll's under winlogon click OK.
If you see any .ini or .bak files with either the same name or the file name in reverse, kill them as well.
Next double-click on explorer.exe, select the Threads tab, and again click once on each instance of dbmc.dll then click the kill button.
Again, if you see any .ini or .bak files with either the same name or the file name in reverse, kill them as well.
Once you have done that click OK again.
Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Speech\dbmc.dll
O20 - Winlogon Notify: dbmc - C:\WINDOWS\Speech\dbmc.dll
Close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.
Now locate the fixvundo.reg file on your desktop and right-click on it. Choose Merge and answer Yes or Ok if you get any other prompts.
Step #4
Double-click on KillBox.exe to start the program.
* Click Delete on Reboot.
* Paste the line below into the top Full Path of File to Delete box.
C:\WINDOWS\Speech\dbmc.dll
* Click the Delete File button which looks like a stop sign.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the Delete next Reboot prompt.
* If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.
Step #5
After your computer reboots normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.
& yes there are more items to remove but work on this first
HGD
Last edited by HJThis; 13-07-2005 at 09:16 PM.
