 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
sompa
Junior Member
Joined: 31 Mar 2005
Last Visit: 10 Dec 2005
Posts: 15
|
 Posted: Sat Dec 03, 2005 8:54 am Post subject: system sloooow -zango? and other? |
 |
|
my system was already running painfully slow and took forever to boot, then got hit with zango today....now its even worse. tried to remove zango but not sure if I got it all. I know there's other junk still there. I have run adaware and spybot. here's my hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 11:48:50 AM, on 12/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ORB Networks\ORB\Cab\MainRegister\CabDirectory.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MediaGateway\MediaGateway.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Netropa\Onscreen display\Osd.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing)
O4 - HKLM\..\Run: [Regx10EXE] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - Startup: Shortcut to osd.lnk = C:\Program Files\Netropa\Onscreen display\Osd.exe
O4 - Global Startup: ORB.lnk = C:\Program Files\ORB Networks\ORB\ORBTrayIcon\OrbTrayIcon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133268856263
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133268829465
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: CabDirectory - Orb Networks - C:\Program Files\ORB Networks\ORB\Cab\MainRegister\CabDirectory.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OrbMediaService - Orb Networks - C:\Program Files\ORB Networks\ORB\ORBServices\OrbMediaService\OrbMediaService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Thanks,
Sompa |
|
| Back to top |
|
 |
pskelley
SWW Masters Graduate
Joined: 06 Apr 2004
Last Visit: 28 Aug 2008
Posts: 168
Location: Clearwater, Florida
|
| Posted: Wed Dec 07, 2005 3:43 am Post subject: |
|
|
Hi Somba, welcome to the forum. Let's do a little cleaning and see if that helps. Do this in the posted order.
1) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.
2) Open Add Remove programs in your Control Panel and uninstall these programs if they are there: MediaGateway, Zango Toolbar
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing)
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
(these two restrictions are in place, you can check and remove them if you do not want them)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Program Files\MediaGateway\ >>> folder
C:\Program Files\Zango Programs\ >>> folder
C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
5) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do. Then restart the computer and post a new HJT log in this same thread along with any feedback you have. Let me know how you are running now.
Thanks...pskelley
SWW HJT forum |
|
| Back to top |
|
|
sompa
Junior Member
Joined: 31 Mar 2005
Last Visit: 10 Dec 2005
Posts: 15
|
| Posted: Thu Dec 08, 2005 4:41 pm Post subject: new hjt log |
|
|
I have completed your instructions. Computer still is running quite slow....and more than 5 min just to reboot. Here's the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 7:39:23 PM, on 12/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ORB Networks\ORB\Cab\MainRegister\CabDirectory.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\ORB Networks\ORB\ORBServices\OrbMediaService\OrbMediaService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ORB Networks\ORB\ORBTrayIcon\OrbTrayIcon.exe
C:\Program Files\Netropa\Onscreen display\Osd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ORB Networks\ORB\bin\Orb.exe
C:\Program Files\ORB Networks\ORB\bin\OrbMedia.exe
C:\Program Files\ORB Networks\ORB\bin\OrbClient.exe
C:\Program Files\ORB Networks\ORB\ORBTV\OrbStreamer\OrbStreamer.exe
C:\Program Files\ORB Networks\ORB\ORBTV\OrbStreamer\rtspServer.exe
C:\Program Files\ORB Networks\ORB\ORBTV\OrbTVXml\OrbTVXML.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ORB Networks\ORB\ORBTV\OrbTVXml\xmltv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Peck\LOCALS~1\Temp\par-Peck\cache-028aea7e730151cd6bab24bc782fe464675e9e92\xmltv.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Regx10EXE] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - Startup: Shortcut to osd.lnk = C:\Program Files\Netropa\Onscreen display\Osd.exe
O4 - Global Startup: ORB.lnk = C:\Program Files\ORB Networks\ORB\ORBTrayIcon\OrbTrayIcon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133268856263
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133268829465
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: CabDirectory - Orb Networks - C:\Program Files\ORB Networks\ORB\Cab\MainRegister\CabDirectory.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OrbMediaService - Orb Networks - C:\Program Files\ORB Networks\ORB\ORBServices\OrbMediaService\OrbMediaService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe |
|
| Back to top |
|
|
pskelley
SWW Masters Graduate
Joined: 06 Apr 2004
Last Visit: 28 Aug 2008
Posts: 168
Location: Clearwater, Florida
|
| Posted: Thu Dec 08, 2005 5:11 pm Post subject: |
|
|
I need a little information, all of the ORB Networks stuff was not showing in the first log? Is this your ISP? Do you know why It was not in the first log?
Keep in mind, I am here to help you get rid of malware. I can't make your computer run faster, unless the malware was causing the problem. I may have some ideas that may help once we clean out the malware.
this item: C:\DOCUME~1\Peck\LOCALS~1\Temp\par-Peck\cache-028aea7e730151cd6bab24bc782fe464675e9e92\xmltv.exe do you know what it is and why is is running from a Temp Folder? If not then navigate to that Temp folder and delete everything in it (NOT THE FOLDER). If it won't let you delete the Temp stuff, do it in safe mode: http://www.bleepingcomputer.com/forums/tutorial61.html
Let's use ewido to see what may be hiding. When ewido locates stuff, delete it unless you know something is not bad. I will advise you about anything you ignore. Make sure you save the scan report, I must see that first report.
Please download Ewido Security Suite it is a trial version of the program.
- Install ewido security suite
- Launch ewido, there should be an icon on your desktop double-click it.
- The program will now go to the main screen
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update
- Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates
Once the updates are installed do the following:
- Click on scanner
- Click on Complete System Scan and the scan will begin.
- NOTE: During some scans with ewido it is finding cases of false positives.**
- You will need to step through the process of cleaning files one-by-one.
- If ewido detects a file you KNOW to be legitimate, select none as the action.
- DO NOT select "Perform action on all infections"
- If you are unsure of any entry found select none for now.
- Once the scan has completed, there will be a button located on the bottom of the screen named Save report
- Click Save report.
- Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")
Then restart the computer and post a new HJT log and the Ewido scan results in this same thread along with any feedback you have. I need the information I asked for above.
Thanks...pskelley |
|
| Back to top |
|
|
sompa
Junior Member
Joined: 31 Mar 2005
Last Visit: 10 Dec 2005
Posts: 15
|
| Posted: Fri Dec 09, 2005 12:04 am Post subject: ok |
|
|
ok, I have finished your instructions. Orb is a service that allows me to obtain files on my computer remotely. I do use it. I understand you are here to assist only with malware....and I appreciate your help very much....if the logs you ask me to post show no sign of malware, then tell me to go home. I came here because my computer wasn't running right, and I hadn't installed anything that I knew of to cause the problems.
Upon the last reboot, I received a windows warning saying that my firewall was not turned on, and my antivirus software cannot be found. These are not warnings I normally get so I'm not quite sure what to do with it. The xmltv file you refer to, I have no idea what that is. I deleted it, but noticed it was back again. Also, now my orb wont start....says I may need to reinstall...not a big deal.
Here are the two logs you asked for:
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 2:50:39 AM, on 12/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ORB Networks\ORB\Cab\MainRegister\CabDirectory.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Netropa\Onscreen display\Osd.exe
C:\WINDOWS\system32\rundll32.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Regx10EXE] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - Startup: Shortcut to osd.lnk = C:\Program Files\Netropa\Onscreen display\Osd.exe
O4 - Global Startup: ORB.lnk = C:\Program Files\ORB Networks\ORB\ORBTrayIcon\OrbTrayIcon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133268856263
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133268829465
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: CabDirectory - Orb Networks - C:\Program Files\ORB Networks\ORB\Cab\MainRegister\CabDirectory.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OrbMediaService - Orb Networks - C:\Program Files\ORB Networks\ORB\ORBServices\OrbMediaService\OrbMediaService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
and here is the Ewido log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 2:38:45 AM, 12/9/2005
+ Report-Checksum: A09E9609
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{10125C2E-6821-4070-B24E-2E992501AD55} -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3D60A552-96C1-4b38-BD9B-6909F6DA782B} -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7631768F-511E-41d8-BADB-604B0034776B} -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7DEAEF89-F913-4750-801E-F3C1059299F1} -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9675521B-D654-4373-83E3-B80AB89FF5AA} -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{CA0B9B6D-C2AF-11D3-B376-0800460222F0} -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{7DEAEF88-F913-4750-801E-F3C1059299F1} -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{7DEAEF8A-F913-4750-801E-F3C1059299F1} -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\iWon.PopSwatterBarButton -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\iWon.PopSwatterBarButton\CLSID -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\iWon.PopSwatterBarButton\CurVer -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\iWon.PopSwatterBarButton.1 -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\iWon.PopSwatterSettingsControl -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\iWon.PopSwatterSettingsControl\CLSID -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\iWon.PopSwatterSettingsControl\CurVer -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\iWon.PopSwatterSettingsControl.1 -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\IWonToolbar.SettingsPlugin -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\IWonToolbar.SettingsPlugin\CLSID -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\IWonToolbar.SettingsPlugin\CurVer -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\Classes\IWonToolbar.SettingsPlugin.1 -> Spyware.iWon : Cleaned with backup
HKLM\SOFTWARE\ToolBar -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-436374069-1343024091-1957994488-1003\Software\2nd -> Spyware.SecondThought : Cleaned with backup
HKU\S-1-5-21-436374069-1343024091-1957994488-1003\Software\2nd\Client -> Spyware.SecondThought : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Peck\Application Data\Mozilla\Firefox\Profiles\anu29uv6.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Peck\Application Data\Mozilla\Firefox\Profiles\anu29uv6.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Peck\Application Data\Mozilla\Firefox\Profiles\anu29uv6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Peck\Application Data\Mozilla\Firefox\Profiles\anu29uv6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Peck\Application Data\Mozilla\Firefox\Profiles\anu29uv6.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Peck\Application Data\Mozilla\Firefox\Profiles\anu29uv6.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Peck\Application Data\Mozilla\Firefox\Profiles\anu29uv6.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Peck\Application Data\Mozilla\Firefox\Profiles\anu29uv6.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Peck\Application Data\Mozilla\Firefox\Profiles\anu29uv6.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Peck\Application Data\Mozilla\Firefox\Profiles\anu29uv6.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Peck\Application Data\Mozilla\Firefox\Profiles\anu29uv6.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Peck\Application Data\Mozilla\Firefox\Profiles\anu29uv6.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Peck\Application Data\Mozilla\Firefox\Profiles\anu29uv6.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Peck\Desktop\Dads Stuff\uninstall6_30.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\304438.rar/304438.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\wzsex21x.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\msbaij.dll -> Spyware.Ipend : Cleaned with backup
C:\WINDOWS\system32\mscjjn.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\system32\msddlc.dll -> Dropper.Siboco.d : Cleaned with backup
::Report End
Thank you again for your help |
|
| Back to top |
|
|
pskelley
SWW Masters Graduate
Joined: 06 Apr 2004
Last Visit: 28 Aug 2008
Posts: 168
Location: Clearwater, Florida
|
| Posted: Fri Dec 09, 2005 5:17 am Post subject: |
|
|
OK, thanks for the feedback, let's you and I work together to fix this thing. First, you said you use the ORB service and if it was not running in the first log that would indicate why it was showing in services but not in the log. I've never seen that one before and I am saving a link to look it over later. Sompa, could this or any other program, Windows updates or anything else have been downloaded at the time the computer started experiencing these issues? I see you mention not installing anything, but just give my question some thought.
| Quote: |
| Upon the last reboot, I received a windows warning saying that my firewall was not turned on, and my antivirus software cannot be found |
Did you check the Security Center in the Control Panel to see if all three items AV, Firewall and Updates are all on go? Oops not the firewall if you are using a Norton Firewall.
| Quote: |
| The xmltv file you refer to, I have no idea what that is. I deleted it, but noticed it was back again. Also, now my orb wont start....says I may need to reinstall...not a big deal. |
The xmltv file, I get this when I search Google for it: http://membled.com/work/apps/xmltv/ You say you "noticed it was back again" but I don't see it in the log. Does that link mean anything to you. If this has something to do with the ORB program I would not recognize it since I don't know the program. If it is back on the computer would you right click and look at properties to see if you can find out if it is valid. You can also use these free online scanners to see what it is:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
All it takes is one trojan to really mess up a computer.
If you can't locate it, look in your recycle bin, if there investigate it there (don't empty the bin until we know what it is). You might also restore it and then see if the ORB program opens then, this would give us a fair clue it has to do with that program. I have no idea why a program would install something important in a TEMP file, but they do. Any Temp file should be able to be cleaned out.
Logfile of HijackThis v1.99.1 Scan saved at 2:50:39 AM, on 12/9/2005
I see nothing that appears to be malware in this HJT log. I do see a Norton Firewall, so I must say the SP2 firewall in the Security Center should not be on, since you are running Norton's. I would like you to update your Norton and run a complete system scan and let me know the results.
ewido security suite - Scan report Created on: 2:38:45 AM, 12/9/2005
Nothing showing that ewido was not able to remove, would you let me know if the computer is running any better since the stuff was removed by ewido. Are you receiving any error messages?
This item: Spyware.AproposMedia : Cleaned with backup is an indication we may have a RootKit infection on our hands, let's run a tool to remove it if it is there:
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe
Save it to your desktop but do NOT run it yet.
Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
Please post any information I requested above along with these two logs.
Thanks...Phil |
|
| Back to top |
|
|
sompa
Junior Member
Joined: 31 Mar 2005
Last Visit: 10 Dec 2005
Posts: 15
|
| Posted: Sat Dec 10, 2005 3:38 pm Post subject: oh well |
|
|
I have followed all of your instructions and now my computer is barely running. Don't get me wrong, I really appreaciate your help, I just think I've been going down the wrong path here. This site saved my butt a while back, and I was hoping I would be as lucky again. I need to concentrate on saving my data at this point (while I can), and just format and start from scratch. It stinks, but so it goes. Thanks again for trying to help.
Sompa |
|
| Back to top |
|
|
pskelley
SWW Masters Graduate
Joined: 06 Apr 2004
Last Visit: 28 Aug 2008
Posts: 168
Location: Clearwater, Florida
|
| Posted: Thu Dec 15, 2005 4:47 pm Post subject: |
|
|
OK Sompa, if that is what you wish to do. I apologize I was not able to help you more, these infections are often much harder to get off than they are to get on. If you have not formated yet, I strongly suggest you try the AproposFix, this is a rootkit infection that did not show up until we ran ewido. Best of luck with your decision and I hope your holidays are great ones. This thread will be closed in a few days.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
Thanks...pskelley
SWW HJT forum
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Topic locked. If you need it re-opened please pm me.
New issues please start a new topic.
Thank you. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
