I need help! I simply can't remove project 1

Posted 9/1/2006 8:39 PM
#35785
User avatar

filnice Member

Date Joined Nov 2016
Total Posts: 4
I have windows 2000 professional and a project 1 program keeps interrupting everything I do, and I have tried several actions trying to remove and always comes back, here is my hijackthis post

Logfile of HijackThis v1.99.1
Scan saved at 03:27:03 p.m., on 01/09/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Archivos de programa\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINNT\System32\svchost.exe
C:\Archivos de programa\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\ARCHIV~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
C:\WINNT\System32\svchost.exe
C:\Archivos de programa\Compaq\LCRMS\LCRMS.EXE
C:\WINNT\System32\mnmsrvc.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\MSTask.exe
C:\Archivos de programa\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\system32\lsiss.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\ARCHIV~1\Compaq\COMPAQ~2\cpqdmi.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\taskmgr.exe
C:\Archivos de programa\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\Promon.exe
C:\ARCHIV~1\Compaq\COMPAQ~2\CHKADMIN.EXE
C:\WINNT\loadqm.exe
C:\Documents and Settings\isaura_corula\Escritorio\win\winampa.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\BullGuard Software\BullGuard\bullguard.exe
C:\Archivos de programa\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Archivos de programa\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.33.1.12:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Archivos de programa\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\ARCHIV~1\Compaq\COMPAQ~2\CHKADMIN.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Documents and Settings\isaura_corula\Escritorio\win\\winampa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_15.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_15.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmff_15.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BullGuard] "C:\Archivos de programa\BullGuard Software\BullGuard\bullguard.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\ARCHIV~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Coches - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\europillamusica3\entrar.html
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sedecopue.gob.mx
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D3DF339-BEB3-409B-BE42-BE0E6D9524D1}: NameServer = 172.21.9.36
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sedecopue.gob.mx
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D3DF339-BEB3-409B-BE42-BE0E6D9524D1}: NameServer = 172.21.9.36
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sedecopue.gob.mx
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D3DF339-BEB3-409B-BE42-BE0E6D9524D1}: NameServer = 172.21.9.36
O20 - Winlogon Notify: Applets - C:\WINNT\system32\jt0607dse.dll
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Archivos de programa\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Archivos de programa\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\ARCHIV~1\Compaq\COMPAQ~2\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\ARCHIV~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Archivos de programa\Compaq\LCRMS\LCRMS.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Archivos de programa\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Windows PE Debugger - Unknown owner - C:\WINNT\system32\lviss.exe (file missing)
O23 - Service: Windows Remote Manager - Unknown owner - C:\WINNT\system32\lsiss.exe

help please
Posted 9/2/2006 2:40 AM
#35791
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Hi filnice :cool:




Please download Ewido Anti-Malware

Install Ewido Anti-Malware
Launch Ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run Ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")

Exit Ewido, do not run the scan yet!

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates




Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "BFU"

Please download [color=#000000>Brute].
Unzip it to its own folder (c:\BFU)

Rightclick - http://metallica.geekstogo.com/alcanshorty.bfu and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

Do not run the Uninstaller and the Remover yet.





Please download ATF Cleaner[/color][/b][/url] by Atribune.
This program is for XP and Windows 2000 only







Please reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key (or F5 on some computers)
Use the arrow keys to highlight Safe Mode and press the Enter key.





Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.



Run full scan with Ewido


  • Click Scanner

  • Click on the Scan tab

  • Click Complete System Scan to begin scanning.

  • When the scan is complete click Recommended Action and change it to Quarantine

  • Then click Apply all actions

Once finished, click the Save report button, then click Save Report As. This will create a text file.
Make sure you know where to find this file again (like on the Desktop).

Close ewido security suite.


Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu
Press execute and let it do its job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.



Visite Microsoft and update to SP4:

http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en



You might need to change [color=black>language





Apply the update, reboot.





It appears as though you are running 2 anti-virus programs at the same time.
That can cause conflicts on a system, and taking up system resources. You should remove one of them from add/remove programs in controlpanel.[/color]







Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.




[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/8/2006 4:15 PM
#36139
User avatar

filnice Member

Date Joined Nov 2016
Total Posts: 4
Thank you Touch! Sorry I delayed, I just followed all steps and it seems the project 1 is still there, I couldn't run ewido in safe mode without a LAN connection, so I run it connected in safe mode, and I don't know if that might be the reason the bug is still alive, here are my ewido and hijackthis logs:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:07:00 a.m. 08/09/2006

+ Scan result:



C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\ENY5I0L1\dfndrff_15[1].exe -> Adware.DollarRevenue : Cleaned with backup (quarantined).
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\dfndrff_15.exe -> Adware.DollarRevenue : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\35JUXZIG\Installer[2].exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\isaura_corula\Configuración local\Temp\temp.fr0721 -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\isaura_corula\Configuración local\Temp\temp.frAB15 -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\aafsipc.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Installer3.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\gp6ql3j51.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\gpr8l39u1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\hrjs0517e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\hrlm0531e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\ir28l5fu1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\ir48l5hu1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\jt2s07f7e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\jt6o07j3e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\k626lgfs1626.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\ktnol7531.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\lv4009hme.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\nmlanman.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\t2r80c9uef.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\vrrsion.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Archivos de programa\Deskbar\deskbar.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_03745.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_06002.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_15720.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_17602.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_22138.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_27688.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_28604.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_31733.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_37274.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_44182.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_45075.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_48477.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_48745.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_50674.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_51103.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_54016.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_54780.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_65107.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_70078.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_71066.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_71081.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_75887.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\setup_84576.exe -> Backdoor.SdBot.avb : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\35JUXZIG\drsmartload1022a[1].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\35JUXZIG\drsmartload849a[1].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\JX0FWABN\drsmartload195a[2].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\JX0FWABN\drsmartload849a[2].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\O81Z6292\drsmartload45a[2].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\O81Z6292\drsmartload46a[2].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\doc.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\drsmartload45a45n.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\drsmartload45a45o.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\drsmartload45a45p.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\drsmartload46a46n.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\drsmartload46a46o.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\drsmartload46a46p.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\drsmartload849a849n.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\drsmartload849a849o.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\drsmartload849a849p.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\winde.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\O81Z6292\loader[1].exe -> Downloader.VB.agk : Cleaned with backup (quarantined).
C:\drsmartload.exe -> Downloader.VB.agk : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\35JUXZIG\kybrdff_15[1].exe -> Downloader.VB.alg : Cleaned with backup (quarantined).
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\kybrdff_15.exe -> Downloader.VB.alg : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\ENY5I0L1\nwnmff_14[1].exe -> Downloader.VB.als : Cleaned with backup (quarantined).
C:\nwnmff_14.exe -> Downloader.VB.als : Cleaned with backup (quarantined).
C:\drsmartload45a45k.exe -> Downloader.VB.alt : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\JX0FWABN\kybrdff_16[1].exe -> Downloader.VB.amb : Cleaned with backup (quarantined).
C:\kybrdff_16.exe -> Downloader.VB.amb : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrador\Configuración local\Temp\ImInstaller\IncrediMail\imloader.exe -> Not-A-Virus.Downloader.Win32.ImLoader.b : Cleaned with backup (quarantined).
C:\Documents and Settings\isaura_corula\Configuración local\Archivos temporales de Internet\Content.IE5\81MF65SL\send_exe2[1].htm.mwt -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined).
C:\Documents and Settings\isaura_corula\Configuración local\Archivos temporales de Internet\Content.IE5\81MF65SL\send_exe2[2].htm.mwt -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined).


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 10:20:14 a.m., on 08/09/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Archivos de programa\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\ARCHIV~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
C:\WINNT\System32\svchost.exe
C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
C:\Archivos de programa\Compaq\LCRMS\LCRMS.EXE
C:\WINNT\System32\mnmsrvc.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\MSTask.exe
C:\Archivos de programa\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\system32\lviss.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\ARCHIV~1\Compaq\COMPAQ~2\cpqdmi.exe
C:\Archivos de programa\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\Promon.exe
C:\ARCHIV~1\Compaq\COMPAQ~2\CHKADMIN.EXE
C:\WINNT\loadqm.exe
C:\Documents and Settings\isaura_corula\Escritorio\win\winampa.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
C:\dfndrff_16.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\WINNT\explorer.exe
C:\Archivos de programa\Network Monitor\netmon.exe
C:\WINNT\QXBveW8gRW1wcmVzYXJpYWw\command.exe
C:\WINNT\system32\taskmgr.exe
C:\Archivos de programa\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Archivos de programa\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.33.1.12:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Archivos de programa\Deskbar\deskbar.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Archivos de programa\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\ARCHIV~1\Compaq\COMPAQ~2\CHKADMIN.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Documents and Settings\isaura_corula\Escritorio\win\\winampa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_16.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmff_17.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BullGuard] "C:\Archivos de programa\BullGuard Software\BullGuard\bullguard.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\ARCHIV~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Coches - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\europillamusica3\entrar.html
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sedecopue.gob.mx
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D3DF339-BEB3-409B-BE42-BE0E6D9524D1}: NameServer = 172.21.9.36
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sedecopue.gob.mx
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D3DF339-BEB3-409B-BE42-BE0E6D9524D1}: NameServer = 172.21.9.36
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sedecopue.gob.mx
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D3DF339-BEB3-409B-BE42-BE0E6D9524D1}: NameServer = 172.21.9.36
O20 - Winlogon Notify: AdminDebug - C:\WINNT\system32\guard.tmp (file missing)
O20 - Winlogon Notify: CSCSettings - C:\WINNT\system32\cfral.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QXBveW8gRW1wcmVzYXJpYWw\command.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Archivos de programa\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\ARCHIV~1\Compaq\COMPAQ~2\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\ARCHIV~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Archivos de programa\Compaq\LCRMS\LCRMS.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Archivos de programa\Network Monitor\netmon.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Archivos de programa\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Windows PE Debugger - Unknown owner - C:\WINNT\system32\lviss.exe
Posted 9/10/2006 7:44 AM
#36212
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Please download free Trial of Superantispyware
[color=#22229c>http://www.superantispyware.com/superantispywarefreevspro.html
[/url]

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it.

close the program




Download and install:
http://www.filehippo.com/download_ccleaner/[/color]
For a basic version of CCleaner with no Yahoo Toolbar, select the second or third install option as follows:
Even if you selected Option 2 or 3, if you do not want the Yahoo Toolbar installed:
Uncheck "Add CCleaner Yahoo! Toolbar", as it is checked by default during CCleaner Setup


Download Dr.Web CureIt to the desktop:
[color=#22229c>ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe[/url]









[/color]

[color=red>]red[/color] dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all
When the scan has finished, look if you can click next icon next to the files found
If so, click it and then click the next icon right below and select Move incurable
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv


Close Dr.Web Cureit.









Start Superantispyware/rightclick on the black/yellow bug in tray.

Hit - Scan Your Computer - button

Click on the drive(s) you want to scan. Put a check in - Perform Complete Scan, then next

it will scan now. When scan have finished, put a checkmark with all items it found. Next, after cleaning, let it Reboot





Next go to Start- Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders
And Find:
superantispyware log





Post this log along with fresh hijackthis log and tell how things are running

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/14/2006 8:02 PM
#36470
User avatar

filnice Member

Date Joined Nov 2016
Total Posts: 4
:cool: Thank you again Touch! I followed all steps and it seems the virus has been affected this time, because the project 1 window at start up did not showed up, but I'm not sure if its completely gone since after a while after I rebooted an advertising pup up window appeared, here are my Hijackthis and Superantispyware logs:

Logfile of HijackThis v1.99.1
Scan saved at 02:48:51 p.m., on 14/09/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Archivos de programa\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\ARCHIV~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
C:\WINNT\System32\svchost.exe
C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
C:\Archivos de programa\Compaq\LCRMS\LCRMS.EXE
C:\WINNT\System32\mnmsrvc.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\MSTask.exe
C:\Archivos de programa\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\ARCHIV~1\Compaq\COMPAQ~2\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\dfndrff_e1.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Archivos de programa\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Archivos de programa\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.33.1.12:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Archivos de programa\Deskbar\deskbar.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e1.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BullGuard] "C:\Archivos de programa\BullGuard Software\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\ARCHIV~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Coches - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\europillamusica3\entrar.html
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sedecopue.gob.mx
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D3DF339-BEB3-409B-BE42-BE0E6D9524D1}: NameServer = 172.21.9.36
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sedecopue.gob.mx
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D3DF339-BEB3-409B-BE42-BE0E6D9524D1}: NameServer = 172.21.9.36
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sedecopue.gob.mx
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D3DF339-BEB3-409B-BE42-BE0E6D9524D1}: NameServer = 172.21.9.36
O20 - Winlogon Notify: SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Archivos de programa\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\ARCHIV~1\Compaq\COMPAQ~2\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\ARCHIV~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Archivos de programa\Compaq\LCRMS\LCRMS.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Archivos de programa\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: Windows PE Debugger - Unknown owner - C:\WINNT\system32\lviss.exe (file missing)

SUPERAntiSpyware Scan Log
Generated 09/14/2006 at 01:37 PM

Core Rules Database Version : 3082
Trace Rules Database Version: 1114

Memory threats detected : 1
Registry threats detected : 51
File threats detected : 56

Adware.NicTech Networks
C:\WINNT\SYSTEM32\O8ROLI9318.DLL
C:\WINNT\SYSTEM32\O8ROLI9318.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\Uninstall
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\e8jmli1118.dll
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\fpns0357e.dll
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\guard.tmp
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\GUARD.TMP.VIR
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\guard__0.tmp
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\h60qlgd5160.dll
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\Installer3.exe
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\Installer[10.exe
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\k2620cjoefoc0.dll
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\lv6809jue.dll
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\lvp8097ue.dll
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\mfltus40.dll
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\q6ps0g77e6.dll
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\RNOCURS.DLL
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\SH2EVNT1.DLL
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\wqnstrm.dll

Adware.Tracking Cookie
C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@cpvfeed[2].txt
C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@ad.cs102175[1].txt
C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@cassava[1].txt
C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@stats1.reliablestats[1].txt
C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@888[1].txt
C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@partygaming.122.2o7[1].txt
C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@i.screensavers[2].txt
C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@www.globaladvertisingservices[1].txt
C:\Documents and Settings\isaura_corula\Cookies\isaura_corula@dsml.clickexperts[1].txt
C:\Documents and Settings\apoyo8\Cookies\apoyo8@ads.esmas[1].txt
C:\Documents and Settings\apoyo8\Cookies\apoyo8@ads.monster[1].txt
C:\Documents and Settings\apoyo8\Cookies\apoyo8@ads.yupimsn[1].txt
C:\Documents and Settings\apoyo8\Cookies\apoyo8@ads4.clearchannel[1].txt
C:\Documents and Settings\apoyo8\Cookies\apoyo8@adserver.terra[2].txt
C:\Documents and Settings\apoyo8\Cookies\apoyo8@dealtime[1].txt
C:\Documents and Settings\apoyo8\Cookies\apoyo8@freebannertrade[1].txt
C:\Documents and Settings\apoyo8\Cookies\apoyo8@gostats[2].txt
C:\Documents and Settings\apoyo8\Cookies\apoyo8@jackpotmadness[1].txt
C:\Documents and Settings\apoyo8\Cookies\apoyo8@satelite.com[1].txt
C:\Documents and Settings\apoyo8\Cookies\apoyo8@serve.thisbanner[2].txt
C:\Documents and Settings\apoyo8\Cookies\apoyo8@servedby.clickexperts[2].txt
C:\Documents and Settings\apoyo8\Cookies\apoyo8@stats.klsoft[1].txt
C:\Documents and Settings\apoyo8\Cookies\apoyo8@stats[2].txt
C:\Documents and Settings\apoyo8\Cookies\apoyo8@tripod.com[1].txt
C:\Documents and Settings\apoyo8\Cookies\apoyo8@www.clickxchange[2].txt
C:\Documents and Settings\isaura_corula\Configuración local\Temp\Cookies\isaura_corula@cpvfeed[2].txt
C:\WINNT\Temp\Cookies\isaura_corula@ad.cs102175[2].txt
C:\WINNT\Temp\Cookies\isaura_corula@ad.yieldmanager[1].txt
C:\WINNT\Temp\Cookies\isaura_corula@cassava[1].txt
C:\WINNT\Temp\Cookies\isaura_corula@cpvfeed[2].txt
C:\WINNT\Temp\Cookies\isaura_corula@dsml.clickexperts[1].txt
C:\WINNT\Temp\Cookies\isaura_corula@partygaming.122.2o7[1].txt

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Type
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Start
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#Contact
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoRemove
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#UninstallString
C:\Archivos de programa\Network Monitor

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Type
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Start
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Adware.Adservs
C:\WINNT\system32\atmtd.dll
C:\WINNT\system32\atmtd.dll._

Trojan.Unknown Origin
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\installer[11.exe
C:\Documents and Settings\isaura_corula\DoctorWeb\Quarantine\installer[1].exe
C:\WINNT\QXBveW8gRW1wcmVzYXJpYWw\kr1Syqf0lqYTwApWsrLDsqT.vbs
C:\WINNT\uninstall_nmon.vbs
Posted 9/15/2006 12:35 PM
#36501
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Sounds good :smile:




Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked.
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Archivos de programa\Deskbar\deskbar.dll (file missing)
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e1.exe
O23 - Service: Windows PE Debugger - Unknown owner - C:\WINNT\system32\lviss.exe (file missing)






Reboot into Safe Mode by tapping F8 after the BIOS has loaded.
The Windows Advanced Options Menu appears.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.

Delete the following files or folders (delete item in bold). Please do not be concerned if
any of the items are not found as they may have been automatically removed by actions I had
you take earlier in the cleaning process.

Delete Files:
C:\\dfndrff_e1.exe




Reboot and post (hopefully) last hijackthis log

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/19/2006 1:29 PM
#36704
User avatar

filnice Member

Date Joined Nov 2016
Total Posts: 4
:p I really really thank you Touch! It seems like the bug has been terminated :skull: I shall recommend your advice. Cheers!


Here is my last Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 08:19:38 a.m., on 19/09/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Archivos de programa\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\ARCHIV~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
C:\WINNT\System32\svchost.exe
C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
C:\Archivos de programa\Compaq\LCRMS\LCRMS.EXE
C:\WINNT\System32\mnmsrvc.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\MSTask.exe
C:\Archivos de programa\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\ARCHIV~1\Compaq\COMPAQ~2\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\System32\MsiExec.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Archivos de programa\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.33.1.12:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BullGuard] "C:\Archivos de programa\BullGuard Software\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Archivos de programa\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\ARCHIV~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Coches - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\europillamusica3\entrar.html (file missing)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sedecopue.gob.mx
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D3DF339-BEB3-409B-BE42-BE0E6D9524D1}: NameServer = 172.21.9.36
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sedecopue.gob.mx
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D3DF339-BEB3-409B-BE42-BE0E6D9524D1}: NameServer = 172.21.9.36
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sedecopue.gob.mx
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D3DF339-BEB3-409B-BE42-BE0E6D9524D1}: NameServer = 172.21.9.36
O20 - Winlogon Notify: SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Archivos de programa\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\ARCHIV~1\Compaq\COMPAQ~2\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\ARCHIV~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Archivos de programa\ewido anti-spyware 4.0\guard.exe
O23 - Service: Insight Manager LC Remote Management (LCRMS) - Compaq Computer Corporation - C:\Archivos de programa\Compaq\LCRMS\LCRMS.EXE
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Archivos de programa\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe



Thank you!
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Thursday, December 8, 2016, 11:02 PM (GMT +1)
There are a total of 61,163 posts in 13,450 threads.
In the last 3 days there were 1 new threads and 3 reply posts.

Who's online

This forum has 37,968 registered members. Please welcome our newest member, Crawlerz.
There are currently no users on-line.