Hi!!
This is the answer's first step, I will give you some instructions and
some things to download and do, then you will post as a request for a
clarification the results of these instructions and I will tell you
what else you must do to fix your computer, if we are lucky after you
follow these last set of instructions your computer could be clean.
First thing to do:
Scan your computer online with the following tools from Trend Micro:
(do all the tasks: virus scan, spyware scan and download CWShredder to
remove CoolWebSearch, this is a common pestware that is usually
present on infected computers). Let these tools remove all that they
find.
http://housecall.trendmicro.com/
Second thing to do:
Download and run the following HijackThis autoinstall program. HJT
needs to be in its own folder so that the program itself isn't deleted
by accident. Having the backups could be VITAL to restoring your
system if something went wrong in the FIX process!
http://thespykiller.co.uk/files/HJTsetup.exe
Hijackthis is an expert's tool used to remove hijackers and spyware,
but since it works on demand, not automatically, you only need to post
a log here as a clarification and then I will analyze it and tell you
what are the next steps.
To see how to get and post a log here see the following tutorial at
BleepingComputer.com; remember to only post the log without fixing
anything, I will tell you which items must be selected to fix:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#HowToUse
Note that on Windows NT, 2000, & XP, it requires that you have
administrator privileges.
Please post the scan log from HijackThis' scan, WITHOUT fixing
anything, and after I analyze it I will tell you what things must be
fixed with HJT. Also let me know what happened with the online scans.
Probably other procedures and products could be necessary to complete the cleaning.
Remember that this answer is not considered ended until you get rid
from this pestware. Use the clarification feature all the times
needed, I will be glad to give you further assistance in the cases you
need it.
Regards,
livioflores-ga |
Clarification of Answer by
livioflores-ga
on
22 Nov 2005 15:30 PST
Hi again!!
I suggest you to use the request of an answer clarification feature
instead to posting comments to continue this thread.
Regarding to your log file please disable System Restore feature i it
is enabled and then reboot your computer in Safe mode, run HJT and
press the Scan only button, then select to fix the following items:
O4 - HKLM\..\Run: [LSAS] C:\WINDOWS\system32\LSAS.exe /check
O4 - HKLM\..\Run: [SHA256] C:\Program Files\SHA256\secure.exe
O4 - HKLM\..\Run: [AdsBlocker] C:\Program Files\AdsBlocker\stopAds.exe
Click on the Fix button.
Now find and delete if still present the following files:
C:\WINDOWS\system32\LSAS.exe
C:\Program Files\SHA256\secure.exe
C:\Program Files\AdsBlocker\stopAds.exe
Reboot in normal mode and check your computer behaviour, then post a
fresh HJT log. I will analyze this new log to see if there is some
remanent pests and to see if a different method or program is
necessary.
Regards,
livioflores-ga
Hope this heps you.
|
Request for Answer Clarification by
cb999-ga
on
23 Nov 2005 05:11 PST
Thanks but big problem now.
I did as you suggested and rebooted in Safe Mode.
Tried deleting the 3 files from the DOS prompt. Last two OK (including
their directories) but "Access Denied" on
C:\WINDOWS\system32\LSAS.exe. So I managed to rename it to LSAS1.EXE.
Shutdown and rebooted - blue screen and nothing else, not even mouse movement.
Shutdown again and rebootewd, F8, restore to Last known good config -
same results, blue screen, won't boot!
Help! (I was feeling so enouraged up to that point)
Chris
|
Clarification of Answer by
livioflores-ga
on
23 Nov 2005 06:12 PST
Hi!!
This is very strange situation. What the blue screen message says?
If posible you must try to restore all to the original situation. Try
to boot in safe mode, if you can create a new restoration point using
the system restore feature, not do a restoration only create a new
point (if you cannot do this just skip this step).
Check if the Recycle bin still contains the deleted folders and
restore them,also rename the LSAS1.exe file to its original name.
Still in safe mode run HJT, and use its restore feature to restore all
the fixed items:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#HTRestore
If all works fine now you can boot normally, but with your computer
still infected.
At this point please reboot in normal mode and post a new HJT log.
If you cannot boot in safe mode you will need to use the Recovery
console, see at the following page the link "How to access the
Recovery Console" and click on it:
http://www.webtree.ca/windowsxp/repair_xp.htm
Let me know how this works and I will continue assisting you on fixing
your computer.
Regards,
livioflores-ga
|
Request for Answer Clarification by
cb999-ga
on
23 Nov 2005 10:36 PST
Thanks for your suggestions guys but now I can't do anything with the
machine at all. I can't boot in normal mode or safe mode. I can't
restore to a "last good configuration" - all I get is a blue screen
with a mouse arrow in the middle. I've also mislaid my original
Windows XP Pro O/S CD. The machine is a Dell Dimension 2400 but I have
Windows CD's from other systems.
Any suggestions?
Chris
|
Clarification of Answer by
livioflores-ga
on
23 Nov 2005 14:24 PST
The Windows CD's of the other systems will work, if they are Windows
XP installations CDs.
Note that the feldersoft's comment gives us a big clue, is it possible
that you renamed LSASS.exe instead LSAS.exe? If this was what
happened, try booting from a Windows XP CD (anyone will work) and from
the Recovery Console restore the LSASS.exe file to its original name.
You can also make the six boot disks for XP on any XP working system,
boot with them and using the command promp try to undo the renaming.
See the following page for the boot disks:
http://www.bootdisk.com/bootdisk.htm
Read also the following article on "How to Perform a Windows XP Repair Install":
http://www.michaelstevenstech.com/XPrepairinstall.htm
I hope that this helps you. Please, keep me updated on how this is working.
Regards,
livioflores-ga
|
Request for Answer Clarification by
cb999-ga
on
23 Nov 2005 22:22 PST
Thanks for persisting with this suggestion 'cos that seems to be the
answer. I changed the Setup to boot from a Windows XP Pro CD-ROM, Ran
the Recovery Console and renamed the file back to its original name.
Then rebooted (from the hard drive) and it was fine. \o/
I'll monitor the PC for any reoccurrence of the allsexsms.exe popup
and keep you informed.
Thanks
Chris
|
Clarification of Answer by
livioflores-ga
on
23 Nov 2005 23:27 PST
Hi!!
Glad to know that you have recovered the control over your computer,
did you renamed LSASS.exe instead of LSAS.exe file? (it is important
to know in the case that your computer is still infected).
Also is not a bad idea to run the Symantec's W32.Gaobot Removal Tool, just in case:
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.removal.tool.html
After that check your computer behaviour and post a fresh HJT log.
Regards,
livioflores-ga
|
Request for Answer Clarification by
cb999-ga
on
24 Nov 2005 00:34 PST
Hi again,
Yes I must have and I can find no occurrence of LSAS.EXE anywhere?
I'm now running the Symantec Tool and i'll keep you posted.
Thanks
Chris
|
Clarification of Answer by
livioflores-ga
on
24 Nov 2005 02:22 PST
Hi again!!
I think that HJT has deleted it (the LSAS.exe file), so the Symantec's
removal tool probably find nothing.
Please check if the popups are dissapeared and post a new fresh HJT log.
Good luck!!
livioflores-ga
|
Request for Answer Clarification by
cb999-ga
on
24 Nov 2005 03:42 PST
Nothing has appeared so far this morning but this popup is a clever
one and sometimes lies dormant for a while and then pops up when you
least expect it to. Anyway, here's the latest log:-
Logfile of HijackThis v1.99.1
Scan saved at 11:55:41, on 24/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Aladdin Systems\Internet Cleanup\icserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Acronis\ProcessActivityMonitor\paamsrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\REAL\realjbox.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\WS_FTP Pro\ftpqueue.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Acronis\PrivacyExpert\Shield.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iISystem Wiper\SystemWiper.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.softwareparadise.co.uk/welcome.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ICHlprObj Class - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} -
C:\Program Files\Aladdin Systems\Internet Cleanup\IC3hlpr.dll
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} -
C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WsftpBrowserHelper Class -
{601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP
Pro\wsbho2k0.dll
O2 - BHO: Google Web Accelerator Helper -
{69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web
Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} -
C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Acronis Popup Blocker -
{E24AD748-155E-4254-B674-4EDF86E7E1DF} -
C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} -
C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Google Web Accelerator -
{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web
Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [terminal] C:\WINDOWS\system32\terminal.exe /reloadenterpice
O4 - HKLM\..\Run: [REAL] C:\Program Files\REAL\realjbox.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program
Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ftpqueue] C:\Program Files\WS_FTP Pro\ftpqueue.exe -tray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program
Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Acronis Popup Blocker] RunDll32.exe
C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll,Run
O4 - HKLM\..\Run: [SpyWare Shield] "C:\Program
Files\Acronis\PrivacyExpert\Shield.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdsBlocker] C:\Program Files\AdsBlocker\stopAds.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI
RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: IC Task Manager.lnk = C:\Program Files\Aladdin
Systems\Internet Cleanup\ONICTASK.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program
Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -
res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Acronis Pop-up Blocker -
{2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} -
C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll
O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker -
{2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} -
C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46}
- file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar -
{724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: IC 3.0 - {bba9a1cb-c90a-4912-8f01-dfa51a2b4102} -
C:\Program Files\Aladdin Systems\Internet Cleanup\IC3hlpr.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control)
- http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan
Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
- http://a840.g.akamai.net/7/840/537/2005102501/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = softpara.local
O17 - HKLM\Software\..\Telephony: DomainName = softpara.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{3925A172-FB58-4A83-88AF-70BE807ECD08}:
NameServer = 194.106.56.6 194.106.33.42
O17 - HKLM\System\CCS\Services\Tcpip\..\{421BA73A-1395-4B3A-A028-E0E4FC316CC8}:
NameServer = 192.168.1.99
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = softpara.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = softpara.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = softpara.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis -
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: Ipswitch WS_FTP Queue (ftpqueue) - Ipswitch, Inc., 81
Hartwell Ave, Lexington MA 02421 - C:\Program Files\WS_FTP
Pro\ftpsched.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software -
C:\WINDOWS\System32\gearsec.exe
O23 - Service: icservice - Aladdin Systems, Inc. - C:\Program
Files\Aladdin Systems\Internet Cleanup\icserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) -
Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) -
Symantec Corporation - C:\Program Files\Norton
AntiVirus\IWP\NPFMntor.exe
O23 - Service: Process Activity Monitor (paamsrv) - Unknown owner -
C:\Program Files\Common
Files\Acronis\ProcessActivityMonitor\paamsrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program
Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec
Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -
America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Chris
|
Clarification of Answer by
livioflores-ga
on
24 Nov 2005 07:08 PST
Hi!!
Your system appears to be clean right now, except for the item:
O4 - HKLM\..\Run: [terminal] C:\WINDOWS\system32\terminal.exe /reloadenterpice
I do not know what this program do, so please do the following if you
cannot identify its purpose:
Ensure that all the files in your system are viewable:
"Help: How to Show System Files"
http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5
Now search for this file at C:\WINDOWS\system32\ folder and do a right
click and select the Properties option. Please post that info here. If
this program results suspicious and the following task does not clean
it we can try disabling it from start up, but we try with this later.
Also, for a second opinion, download and install the trial version of
EWIDO (it works like a full featured version for 14 days!):
http://download.ewido.net/ewido-setup.exe
·Install ewido security suite
·Launch ewido, there should be a big E icon on your desktop, double-click it.
·The program will prompt you to update click the OK button
·The program will now go to the main screen
You will need to update ewido to the latest definition files.
·On the left hand side of the main screen click update
·Click on Start
The update will start and a progress bar will show the updates being installed.
·After the updates are installed, exit Ewido.
ALTERNATIVE METHOD FOR UPDATE:
Download the last signature installer and run it:
http://download.ewido.net/ewido-signatures-full-20051124.exe
·Run Ewido.
-Click on scanner
-Make sure the following boxes are checked before scanning:
º Binder
º Crypter
º Archives
-Click on Start Scan
Let the program scan the machine. While the scan is in progress you
will be prompted to clean the first infected file it finds. Choose
"clean", then put a check next to "Perform action on all infections"
in the left corner of the box so you don't have to sit and watch Ewido
the whole time. Click OK.
Once the scan has completed, there will be a button located on the
bottom of the screen named Save report:
·Click Save report
·Save the report to your desktop
·Exit Ewido
·Reboot into normal mode
Now chack again the computer behaviour and post the Ewido report if it
fixed anything. If it does not find anything we can consider your
computer clean and safe.
Regards,
livioflores-ga
|
Clarification of Answer by
livioflores-ga
on
27 Nov 2005 14:50 PST
Thank you so much for your comments, good rating and the generous tip!!
I am so glad to know that you have fixed your computer, and also to
see that my work was helpful to you.
Best regards,
livioflores-ga
|
Request for Answer Clarification by
cb999-ga
on
29 Nov 2005 02:13 PST
The pesky popup is still there. It seems to be able to lie-low thus
fooling us that it's gone when its not.
Any more suggestions would be apprecited
Chris
|
Request for Answer Clarification by
cb999-ga
on
29 Nov 2005 04:30 PST
FYI: I downloaded a very useful Task Monitor from www.neuber.com and
this pinpointed some dubious tasks including trackurl.exe and
stopads.exe and where they were located. I removed them using HJT and
then removed the directory REAL in Programs and once again, all
appears to be well.
Fingers crossed - this has sorted the problem once and for all.
|
Clarification of Answer by
livioflores-ga
on
29 Nov 2005 04:54 PST
Hi!!
Fingers crossed too!!!
Well you have learnt something, that is good, if you want you can post
a HJT log so i can check if I find something to fix.
Also take into account the following advices:
You will need a firewall, if you are not using Norton Internet
Security suite or any other (using two at the same time means
problems). I recommend you a free one, it works very well at home
computers and it is easily customizable in the case that you need to
open or close some specific
port or need to block an application, this program is Zone Alarm:
http://www.softpedia.com/get/Security/Firewall/ZoneAlarm-Free.shtml
Download it from here:
http://download.softpedia.ro/software/SECURITY/FIREWALL/zlsSetup_61_737_000_en.exe
or
http://www.majorgeeks.com/ZoneAlarm_Free_d388.html
Two more tools will be needed to protect your computer:
SpywareBlaster:
This tool is for prevent the installation of pestwares.
http://www.javacoolsoftware.com/spywareblaster.html
"Using SpywareBlaster to protect your computer from Spyware,
Hijackers, and Malware":
http://www.bleepingcomputer.com/tutorials/tutorial49.html
The other one is his brother SpywareGuard:
A real-time protection solution against spyware.
http://www.javacoolsoftware.com/spywareguard.html
"Using SpywareGuard to protect your computer from Spyware & Hijackers":
http://www.bleepingcomputer.com/tutorials/tutorial50.html
One more thing needed is a tool to clean the temporary files and
folders and also all the stuff that comes from the Internet and is
keeped unused in the computer. For this the better option is CCleaner:
http://www.ccleaner.com
Download it from here:
http://www.ccleaner.com/ccdownload.asp
For guides on how to use it see:
"CCleaner: Get the Crap Out of Your PC - WinPlanet Windows Software Reviews":
http://www.winplanet.com/article/2869-.htm
"CCleaner - Quick Tour":
http://www.ccleaner.com/help/tour1.asp
"Clean & Protected - CCleaner Scan tutorial":
http://uk.geocities.com/cleanandprotected/ccleaner_scan_tutorial.html
Good luck and best regards,
livioflores-ga
|