Jump to content


Photo

Solution for "deep scanning the registry" problem!!!


  • Please log in to reply
18 replies to this topic

#1 johan_b

johan_b

    Member

  • Members
  • PipPip
  • 13 posts

Posted 10 October 2006 - 11:30 AM

If Ad-aware can't deep scan your registry without stalling...

I have the solution!!!
I searched this forum and found a link to this "fix" program!
It seems to be some bad entries in the registry that needs to be deleted in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\*******

And this program fixes it! :D

Try one of these links:
http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

U have to reboot and wait for 5 min but it's worth it!

#2 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 10 October 2006 - 12:49 PM

Caution!: That is not a one-size-fits-all solution for the freezing issues. It's only one of many

I'm glad to hear that worked for you, however, it's only effective it you have that particular nasty which one of many that come with a rootkit which is known to cause problems with scanning because it uses stealth technology to hide the malware from Windows. It is the rootkit that causes the freezing. There are numerous other malware that come with rootkits, hence the recommendation to run a rootkit tool to find the culprit as you can see in this posted stickied at the top of this forum:

Ad-Aware Freezing Issue

http://www.lavasofts...p?showtopic=783

There are other causes of the freezing as well, however, if you suspect a rootkit, use the rootkit finding tools posted in that link and wait for someone to interpret the results for you before taking action.

FixWareout is a stand alone tool written by volunteers in malware research. It is not recommended you run this tool without trained supervion as false positives are known to occur. If you delete files without knowing for sure this could cause problems with your operating system. That is the reason a log is produced and requested you post for review before taking any further aciton. Ditto for the rootkit finding tools posted. These tools will "see" legitimate files in addition to any bad files, therefore, do not delete anything without a recommendation by a trained malware/rootkit advisor
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#3 johan_b

johan_b

    Member

  • Members
  • PipPip
  • 13 posts

Posted 10 October 2006 - 04:35 PM

Ok, thanks!

Your right, this is maybe just a solution for some....but I have tried so many things and nothing worked, so...
So far I have not found any problems after using this program...
And I have not deleted any files that was reported. It just deleted two entries that were "strange" and now I can scan again. Since I COULD scan before 2 months ago, these two entries must have been added after that somehow...anyways, thanks for a great forum!!!

#4 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 10 October 2006 - 05:22 PM

FixWareout doesn't remove the infected files, just the registry entries, so we need to deal with any infected files it found (if any)

Could you please run the tool once more and post the report at the end: report.txt
Copy the results back here for review, there may be more to do to ensure your computer is clean and doesn't become re-infected.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#5 johan_b

johan_b

    Member

  • Members
  • PipPip
  • 13 posts

Posted 10 October 2006 - 06:08 PM

Here is the report:
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1trap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\2trap
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
* csr.exe C:\WINDOWS\System32\CSXKS.EXE
* csr.exe C:\WINDOWS\System32\{16B1B~1.EXE

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSXKS.EXE 51 275 2006-08-15

Other suspects.
Directory of C:\WINDOWS\system32
{4647DD55-05EB-4C27-A278-273CF2FC643F}.exe
{16B1BE4B-F5CF-43F6-978A-28CF59229D4E}.exe

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

That's all the report said.......

Edited by johan_b, 10 October 2006 - 06:10 PM.


#6 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 10 October 2006 - 06:22 PM

Thanks,

Yes, you have some suspicious files that need looking at to see if they are part of this infection.

Go here to upload the files as attachments
http://www.thespykil...x.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from johan_b at LS ),
fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files

Files to attach for upload:

C:\WINDOWS\System32\CSXKS.EXE

C:\WINDOWS\system32\{4647DD55-05EB-4C27-A278-273CF2FC643F}.exe

C:\WINDOWS\system32\{16B1BE4B-F5CF-43F6-978A-28CF59229D4E}.exe

You DO NOT need to register to start a topic or upload, anybody can upload the files

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect the files from there and will reply back here to you in this topic with steps to remove it, once I determine what it is.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#7 The Nephilim

The Nephilim

    Member

  • Members
  • PipPip
  • 13 posts

Posted 10 October 2006 - 11:55 PM

Hi,
Johan contacted me VIA PM and directed me here but now I see it could be a more deeper issue. Calamity Jane I ran the rootkit revealer program and I have my own post if you dont mind can you have a look at it THNX


here is the link Calamity Jane:


http://www.lavasofts...?showtopic=3649


I posted the Text I recieved from that program THNX!!

#8 johan_b

johan_b

    Member

  • Members
  • PipPip
  • 13 posts

Posted 11 October 2006 - 06:20 PM

LS CalamityJane, don't u think it's possible that one can remove the rootkit problem with a program, but not be able to fix the entries in regedit????? Cause in my case and "The Nephalim's" case it seems like we don't have any rootkit problems but there's still something in the registry that freezes Ad-aware... :)
Now I will do what u asked for in your latest reply, thanks for your help!

#9 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 11 October 2006 - 10:38 PM

LS CalamityJane, don't u think it's possible that one can remove the rootkit problem with a program, but not be able to fix the entries in regedit????? Cause in my case and "The Nephalim's" case it seems like we don't have any rootkit problems but there's still something in the registry that freezes Ad-aware... :huh:
Now I will do what u asked for in your latest reply, thanks for your help!

Hi johan,

Let's get the infected files off of there and then see how Ad-Aware scans at that point.

All 3 files you uploaded were infected.

Please delete each of these and let me know if any problems deleting them:

C:\WINDOWS\System32\CSXKS.EXE

C:\WINDOWS\system32\{4647DD55-05EB-4C27-A278-273CF2FC643F}.exe

C:\WINDOWS\system32\{16B1BE4B-F5CF-43F6-978A-28CF59229D4E}.exe
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#10 johan_b

johan_b

    Member

  • Members
  • PipPip
  • 13 posts

Posted 13 October 2006 - 12:39 AM

Ok, now I've deleted them without a problem, all three files had the same date so they must have had something in common....do u have any idea what type of infections they were? Will I have problems after removing them? I mean, maybe they belonged to a program or something....I remember that I installed a codec some time ago that gave me some problems, I think it was a spyware trick.....it could have been those files that was giving me hell then and now we found them, thanks anyways for your help!
I'll post again if those files come back...

#11 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 13 October 2006 - 01:05 AM

Hi johan,

Yes, they were all related and all infected. Scan results:

Complete scanning result of "csxks.exe", received in VirusTotal at 10.11.2006, 23:24:02 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.25 10.11.2006 HEUR/Malware
Authentium 4.93.8 10.11.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
Avast 4.7.892.0 10.11.2006 Win32:Agent-AVO
AVG 386 10.11.2006 no virus found
BitDefender 7.2 10.11.2006 Trojan.Downloader.Mohbpork.A
CAT-QuickHeal 8.00 10.11.2006 Trojan.DNSChanger
ClamAV devel-20060426 10.11.2006 no virus found
DrWeb 4.33 10.11.2006 Trojan.DnsChange
eTrust-InoculateIT 23.73.19 10.11.2006 no virus found
eTrust-Vet 30.3.3127 10.11.2006 Win32/Alureon!generic
Ewido 4.0 10.11.2006 Downloader.Agent.uj
Fortinet 2.82.0.0 10.11.2006 suspicious
F-Prot 3.16f 10.11.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
F-Prot4 4.2.1.29 10.11.2006 W32/SecRisk-ProcessPatcher-based!Maximus
Ikarus 0.2.65.0 10.11.2006 no virus found
Kaspersky 4.0.2.24 10.11.2006 Trojan-Downloader.Win32.Agent.uj
McAfee 4871 10.11.2006 no virus found
Microsoft 1.1603 10.11.2006 no virus found
NOD32v2 1.1797 10.10.2006 a variant of Win32/Small.FB
Norman 5.90.23 10.11.2006 no virus found
Panda 9.0.0.4 10.11.2006 Trj/Ruins.MB
TheHacker 6.0.1.096 10.11.2006 no virus found
UNA 1.83 10.11.2006 no virus found
VBA32 3.11.1 10.11.2006 Trojan.DownLoader.10960
VirusBuster 4.3.7:9 10.11.2006 no virus found

Aditional Information
File size: 51275 bytes
MD5: e37012dc8559e13c407b8bfaa9451ded
SHA1: 5fde7a8dec164e84e1ce208d3c2b4f29c5b65c89
..........................
Complete scanning result of "_4647DD55-05EB-4C27-A278-273CF2FC", received in VirusTotal at 10.11.2006, 23:28:26 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.25 10.11.2006 no virus found
Authentium 4.93.8 10.11.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
Avast 4.7.892.0 10.11.2006 Win32:Small-BHP
AVG 386 10.11.2006 no virus found
BitDefender 7.2 10.11.2006 MemScan:Trojan.Agent.QB
CAT-QuickHeal 8.00 10.11.2006 Trojan.DNSChanger
ClamAV devel-20060426 10.11.2006 no virus found
DrWeb 4.33 10.11.2006 Trojan.DnsChange
eTrust-InoculateIT 23.73.19 10.11.2006 no virus found
eTrust-Vet 30.3.3127 10.11.2006 Win32/Alureon!generic
Ewido 4.0 10.11.2006 no virus found
Fortinet 2.82.0.0 10.11.2006 suspicious
F-Prot 3.16f 10.11.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
F-Prot4 4.2.1.29 10.11.2006 W32/SecRisk-ProcessPatcher-based!Maximus
Ikarus 0.2.65.0 10.11.2006 no virus found
Kaspersky 4.0.2.24 10.11.2006 Trojan.Win32.Small.fb
McAfee 4871 10.11.2006 Downloader-ARR
Microsoft 1.1603 10.11.2006 no virus found
NOD32v2 1.1797 10.10.2006 a variant of Win32/Small.FB
Norman 5.90.23 10.11.2006 no virus found
Panda 9.0.0.4 10.11.2006 Trj/Ruins.MB
Sophos 4.10.0 10.05.2006 Troj/RuinDl-Gen
TheHacker 6.0.1.096 10.11.2006 no virus found
UNA 1.83 10.11.2006 no virus found
VBA32 3.11.1 10.11.2006 Trojan.Win32.Small.je
VirusBuster 4.3.7:9 10.11.2006 no virus found

Aditional Information
File size: 62032 bytes
MD5: 6f6db604a81736ca44c43fd0a3faf79c
SHA1: 7382258ca67e3b40552bd18fb2fe47bc6f4c7be2
............................
{16B1BE4B-F5CF-43F6-978A-28CF59229D4E}.exe
Service is stopped in this moments. Scanning of your sample has not been finalized and results has been lost. If you wish to scan it, please send it again.

Antivirus Version Update Result
AntiVir 7.2.0.25 10.11.2006 HEUR/Malware
Authentium 4.93.8 10.11.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
Avast 4.7.892.0 10.11.2006 Win32:Agent-AVO
AVG 386 10.11.2006 no virus found
BitDefender 7.2 10.11.2006 Trojan.Downloader.Mohbpork.A
CAT-QuickHeal 8.00 10.11.2006 Trojan.DNSChanger
ClamAV devel-20060426 10.11.2006 no virus found
eTrust-InoculateIT 23.73.19 10.11.2006 no virus found
eTrust-Vet 30.3.3127 10.11.2006 Win32/Alureon!generic
DrWeb 4.33 10.11.2006 Trojan.DnsChange
Ewido 4.0 10.11.2006 Downloader.Agent.uj
Fortinet 2.82.0.0 10.11.2006 suspicious
F-Prot 3.16f 10.11.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
F-Prot4 4.2.1.29 10.11.2006 W32/SecRisk-ProcessPatcher-based!Maximus
Ikarus 0.2.65.0 10.11.2006 no virus found
Kaspersky 4.0.2.24 10.11.2006 Trojan-Downloader.Win32.Agent.uj
McAfee 4871 10.11.2006 no virus found
Microsoft 1.1603 10.11.2006 no virus found
NOD32v2 1.1797 10.10.2006 a variant of Win32/Small.FB
Norman 5.80.02 10.11.2006 no virus found
Panda 9.0.0.4 10.11.2006 Trj/Ruins.MB

Aditional Information
File size: 51275 bytes
MD5: e37012dc8559e13c407b8bfaa9451ded
SHA1: 5fde7a8dec164e84e1ce208d3c2b4f29c5b65c89
............................
If you downloaded a Codec about that time it is most likely the culprit as the "fake codec" to view a video is a very common trick to get folks to download it and then they get infected. There are many, many variants and most try to install a fake Antispyware program of one sort or another with big warnings about a fake virus to further try to trick you into paying for it.

This is only a generic description but yours was of the same family of trojans:

Win32/Alureon Family
http://www3.ca.com/s...s.aspx?ID=50214

You had the desktop Hijacker from that codec as described Here in our September Newsletter.

Yours was hidden by a rootkit, hence the need for a special tool to remove it.

I'd like to see a diagnostic log from this free tool please to see if there are any remaining leftovers:
A diagnostic log from this free tool called HijackThis
Instructions on creating a HijackThis Log
http://www.lavasofts...p?showtopic=216
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#12 johan_b

johan_b

    Member

  • Members
  • PipPip
  • 13 posts

Posted 13 October 2006 - 11:02 AM

Hi, thanks for the explanation...
I remember now that I downloaded the "emedia-codec" which was on that list of fake codecs!
Now I've learned a lesson...
Anyways, it has'nt come back after rebooting so everything seems to be fine now.
Here you have the Hijackthis-log:

Logfile of HijackThis v1.99.1
Scan saved at 11:58:33, on 2006-10-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Symantec AntiVirus\DefWatch.exe
C:\Program\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\Alias\Alias ImageStudio 2.0\bin\renderqueue.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Sony\ISB Utility\ISBMgr.exe
C:\Program\Sony\VAIO Power Management\SPMgr.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\SYMANT~1\VPTray.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\QuickTime\qttask.exe
C:\Program\D-Tools\daemon.exe
C:\Program\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program\Sony\SONICS~1\SsAAD.exe
C:\Program\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program\Winamp\winampa.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Java\jre1.5.0_05\bin\jusched.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Program\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
C:\Program\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
C:\Program\Delade filer\Sony Shared\GMR\GMRMan.exe
C:\Program\Sony\CONNECTAutoUpdate\CONNECTAutoUpdate.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\hij\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://redirect.zone...=license_wizard
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_05\bin\ssv.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\Program\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [SsAAD.exe] C:\Program\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Cyber-shot Viewer verktyg för mediekontroll.lnk = C:\Program\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alias SketchBook Snapshot.lnk = C:\Program\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
O4 - Global Startup: CONNECTAUTrayApp.lnk = C:\Program\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_05\bin\npjpi150_05.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22248F58-2BA8-408D-B24B-C950BFC13C2C}: NameServer = 85.255.113.93,85.255.112.210
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CS1\Services\Tcpip\..\{22248F58-2BA8-408D-B24B-C950BFC13C2C}: NameServer = 85.255.113.93,85.255.112.210
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.210
O17 - HKLM\System\CS2\Services\Tcpip\..\{22248F58-2BA8-408D-B24B-C950BFC13C2C}: NameServer = 85.255.113.93,85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.210
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: VESWinlogon - C:\WINDOWS\SYSTEM32\VESWinlogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Alias ImageStudio Render Queue (renderqueue) - Unknown owner - C:\Program\Alias\Alias ImageStudio 2.0\bin\renderqueue.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program\Delade filer\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks again...:)

#13 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 13 October 2006 - 02:57 PM

emedia codec is one of the bad boys, indeed.

And, there are some "bad" entries this nasty left in your registry.

We need to fix those.

Open HijackThis and do a *system scan only*

When it finishes, place a checkmark next to these entries and then press the *fix checked* button

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_05\bin\ssv.dll (file missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{22248F58-2BA8-408D-B24B-C950BFC13C2C}: NameServer = 85.255.113.93,85.255.112.210

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.210

O17 - HKLM\System\CS1\Services\Tcpip\..\{22248F58-2BA8-408D-B24B-C950BFC13C2C}: NameServer = 85.255.113.93,85.255.112.210

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.210

O17 - HKLM\System\CS2\Services\Tcpip\..\{22248F58-2BA8-408D-B24B-C950BFC13C2C}: NameServer = 85.255.113.93,85.255.112.210

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.93 85.255.112.210

Also, Your Sun Java is out of date and old versions left on your pc, even after updating can be vulnerable to malware exploit. Go to Start / Control Panel and look in Add/Remove programs. Remove all old versions of Sun Java.
They will appear in the "J's" something similar to (for example):

j2re1.4.2_05 or

jre1.5.0_05

JAVA 2 RUNTIME ENVIROMENT SE V1.4.2_03

JAVA 2 RUNTIME ENVIROMENT SE V.14.2_06

(or similar, and there may be more than one. Remove them all)

Then go get the latest up to date version here:
http://www.java.com/...load/manual.jsp

Here's why removing old versions of Sun Java is important:
Potential Vulnerability with Sun Java auto update
http://www.dslreport...remark,14738046

This is a vulnerability in that Sun Java new updated versions do not remove prior vulnerable versions. You will have to remember to do that manually whenever you update your Sun Java.
...............
When done with the above, please scan once more with Hijackthis to produce a log and post the fresh log back here for review :)
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#14 johan_b

johan_b

    Member

  • Members
  • PipPip
  • 13 posts

Posted 14 October 2006 - 12:01 PM

Thanks again for your time, here's the new hjthis-log:

Logfile of HijackThis v1.99.1
Scan saved at 12:59:45, on 2006-10-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Symantec AntiVirus\DefWatch.exe
C:\Program\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\Alias\Alias ImageStudio 2.0\bin\renderqueue.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Tablet.exe
C:\Program\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program\Sony\ISB Utility\ISBMgr.exe
C:\Program\Sony\VAIO Power Management\SPMgr.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\SYMANT~1\VPTray.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\QuickTime\qttask.exe
C:\Program\D-Tools\daemon.exe
C:\Program\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program\Sony\SONICS~1\SsAAD.exe
C:\Program\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program\Winamp\winampa.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Program\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
C:\Program\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
C:\Program\Delade filer\Sony Shared\GMR\GMRMan.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program\Sony\CONNECTAutoUpdate\CONNECTAutoUpdate.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\WINDOWS\system32\msiexec.exe
C:\hij\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://redirect.zone...=license_wizard
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\Program\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [SsAAD.exe] C:\Program\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Cyber-shot Viewer verktyg för mediekontroll.lnk = C:\Program\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alias SketchBook Snapshot.lnk = C:\Program\Alias\Alias SketchBook Pro 2.0\AliasSketchSnap.exe
O4 - Global Startup: CONNECTAUTrayApp.lnk = C:\Program\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: VESWinlogon - C:\WINDOWS\SYSTEM32\VESWinlogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Alias ImageStudio Render Queue (renderqueue) - Unknown owner - C:\Program\Alias\Alias ImageStudio 2.0\bin\renderqueue.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program\Delade filer\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program\Delade filer\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#15 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 14 October 2006 - 03:41 PM

Looks clear :(

Are you now able to scan with Ad-Aware?
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#16 johan_b

johan_b

    Member

  • Members
  • PipPip
  • 13 posts

Posted 14 October 2006 - 08:48 PM

Yes, I can scan now...Thanks alot for all your knowledge!

Edited by johan_b, 14 October 2006 - 08:49 PM.


#17 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 14 October 2006 - 09:08 PM

Yes, I can scan now...

Hooray! :)

Some final cleanup and prevention recomendations follow.

You can go ahead and delete any special tools we used (FixWareout, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and no need to keep them.

Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr
Wait while Windows scans your system for files to delete.
Make sure these 3 are checkmarked and press *ok* to delete them.

Temporary Files
Temporary Internet Files
Recycle Bin

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Put a Checkmark in the box next to "Turn off System Restore".
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Remove the checkmark next to "Turn off System Restore".
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb;en-us;310405
......................
Ad-Aware Plus has realtime protection to prevent infections before they have a chance to a get stronghold on your PC
http://www.lavasoft.com/

Also, I can't stress enough the importance of having your Windows critical Security Updates. Most malware today uses exploits on unpatched systems to creep onto your system without your even doing anything but visiting an infected webpage!!

Watch what you download, be careful where you surf, and don't trust attachments or even links in email and Instant messages. Even if they come from a buddy, that buddy could be the one infected and it is the virus sending that link from his account. You click on it thinking he is trusted, and *boom* you're infected.
Many "Phishing" attempts are made by cleverly crafted email to look like it is coming from an "official" source (like Microsoft, or your bank, or some other provider). Don't click on links in those. Go directly to the site instead and navigate the menus - don't trust email you think came from a "safe source" unless you are expecting it! There is more in the link I will provide below, but those are the choice avenues of infection these days.
Stay far AWAY from cracks and warez sites - you're sure to get infected files there, and the same can be said for files downloaded from p2p (more than half are usually infected and probably not detectable by your current security software - the newest nasties are always released in those venues).

A word about shared computers and networks.
Share Your PC
http://www.microsoft...hare/intro.mspx
Not all users need to have Admin Accounts. It is much safer to have most of your users on a shared system running as Limited User accounts. That way, if there is "an accident", it will only affect one user's account and not the entire system.


Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How do I prevent Browser Hijacks and Spyware?
http://www.dslreports.com/faq/13620

I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
http://update.micros...icrosoftupdate/

And see this link for instructions on how to configure the enhanced security features in SP2:
http://www.microsoft...xp/iesecxp.mspx

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft...s/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

Also visit this Free Online Scanner from Microsoft for PC Health and Safety
http://safety.live.c...-US/default.htm
and Microsoft Security At Home
http://www.microsoft...ty/default.mspx
for tips to Protect your Pc, Protect yourself and Protect your Family.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#18 johan_b

johan_b

    Member

  • Members
  • PipPip
  • 13 posts

Posted 15 October 2006 - 03:22 AM

Ok...thank you so much, I'll try to do all I can not to get infected again :)

Edited by johan_b, 15 October 2006 - 03:22 AM.


#19 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 15 October 2006 - 06:00 PM

Since your issues seem resolved I'll go ahead and archive this topic in the "Resolved" section (read only)

If you should have any further issues, please feel free to post a new topic :P
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users