 |
| |||||||
| Notices |
| Software Photoshop, Paintshop Pro, Painter, etc., and all their various plugins. Of course, you can also discuss all other programs, as well. |
 |
| | LinkBack | Thread Tools |
|
#16
04-13-2006, 04:13 PM
| ||||
| ||||
| gary, thanks. new log: Logfile of HijackThis v1.99.1 Scan saved at 5:11:30 PM, on 4/13/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe P:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\System32\GEARSec.exe H:\Program Files\Norton Ghost\Agent\VProSvc.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\WINDOWS\System32\hphmon05.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe F:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe C:\WINDOWS\MXOALDR.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe H:\Program Files\Norton Ghost\Agent\GhostTray.exe P:\Program Files\Abyss Web Server\abyssws.exe C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe P:\Program Files\Abyss Web Server\abyssws.exe H:\Program Files\TraySoft\PhoneTray\PhoneTray.exe C:\Program Files\Dantz\Retrospect\retrorun.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe I:\Program Files\VMware\VMware Player\vmware-authd.exe C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\WINDOWS\system32\BRMFRSMG.EXE C:\WINDOWS\System32\HPZipm12.exe F:\Program Files\mozilla.org\Mozilla\mozilla.exe C:\Program Files\Internet Explorer\iexplore.exe J:\HijackThis-1-99-1\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.retouchpro.com/"); (C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js) N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://F%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [Norton Ghost 10.0] "H:\Program Files\Norton Ghost\Agent\GhostTray.exe" O4 - HKCU\..\Run: [AbyssWebServer] P:\Program Files\Abyss Web Server\abyssws.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &NeoTrace It! - F:\NEOTRA~1\NEOTRA~1\NTXcontext.htm O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - F:\NEOTRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU) O15 - Trusted Zone: http://free.aol.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136317380093 O17 - HKLM\System\CCS\Services\Tcpip\..\{F6F84C87-59F2-4E53-A3FB-87340C392D64}: NameServer = 205.152.37.23,205.152.132.23 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - P:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Unknown owner - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe (file missing) O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Norton Ghost - Symantec Corporation - H:\Program Files\Norton Ghost\Agent\VProSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - I:\Program Files\VMware\VMware Player\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe craig            |
|
#17
04-13-2006, 04:14 PM
| ||||
| ||||
| Just as an item of info Craig, with regard to VM. Microsoft researchers have put forward a proof of concept proposal, where a VM system is used as a "Rootkit" to hide malicious activity. Essentially the attacker downloads a VM onto your computer, and your OS will then unbeknown to you, run inside this VM. Because of this, any AV scans will not show anything wrong with your system, (as they will be scanning your OS, and not the VM) and yet the attacker will have full access to the contents of your computer. They haven't explained how this would be introduced to your box, but the concept is frightening. |
|
#18
04-13-2006, 04:18 PM
| ||||
| ||||
| gary, yes, that is frightening. however, my VERY little understanding of vmware says this is very unlikely, if not nearly impossible. of course the key word there is 'nearly'. and i honestly dont know. the 'hooks' between the vm module and your 'real' o/s are pretty slim, the way i understand it currently, so i dont know. i would think the vm module would have a hard time reading or interfacing with your true o/s. but, it's software, so i suppose it's possible. the whole 'rootkit' thing is pretty scary by all by itself. craig |
|
#19
04-13-2006, 04:50 PM
| ||||
| ||||
| OK Craig, Gone through your HJT log, and it looks clear. I assume Bell South are your ISP. (if not let me know). Noticed you have both AVG and Norton/Symantec on your box, if you're running both it could cause conflicts. Best to disable the real time scanners on one of them, and use it as an on-demand scanner only. Also found Zone Alarm in your Running processes, but I don't find the services to suggest you're using it as your firewall (I presume you're using Norton/Symantec). Is this a remnant from an old install, if so might be worth removing it. (Just remove the Zone Alarms folder in Program Files). If you wish to check whether your other Restore Points have been infected, try running Kaspersky's online scan, this is a very thorough scan, and will show up any infected files (including those in System Restore). It's a scan only, and doesn't clear any infections. Please do an online scan with Kaspersky Online Scanner Click on Kaspersky Online Scanner You will be promted to install an ActiveX component from Kaspersky, Click Yes.
Sorry, another "canned" speech. If your RPs are infected, you need to clean them out. (sorry, yet another "canned") Lets reset system restore Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to clean the restore points.
Last edited by Gary Richardson; 04-13-2006 at 05:07 PM. |
|
#20
04-13-2006, 09:15 PM
| ||||
| ||||
| gary, thanks! yes, bellsouth. and that actually makes me feel better. that tells me you looked up that name server and it was correct. no, dont have norton antivirus any more. so, those are leftovers. do have ghost. zone alarm firewall = all systems active. so, not sure what you want there. re the other restore points, this one i just restored to only goes back to shortly before i knew i was infected. also, it was a 'checkpoint' and not the original set rp. so, if things came up clean, i'm not going to worry about it and will keep it. but thanks for that. now, one thing i do have a question on that has never really been answered is, on the restore points, are these like iso's? i mean, i was told once that these arent really iso's in the true sense of it being a complete image file. and, i was also under the impression that restoring wouldnt destroy EVERYTHING after the rp, but it seems to have done so. all those programs i downloaded to fix this mess are now gone from my hdd's. no trace at all. in fact, i was under the impression that by using the checkpoint that it was like an updated version of your last rp and that it would only wipe things back to the checkpoint and not the original rp, but this doesnt seem to be so. there are other things missin from my files, like all the filtermeister filters i got or made a while back. thankfully, on those, i had copied them the software forum and could simply copy them back, but other things are missing as well that would have been installed before the checkpoint but after the rp. ok, i think i just answered my own questions. it would seem to be the checkpoint doesnt really do much of anything. but it just links back to the original rp and the orignal is what gets used in the restore. that kinda sucks. what's the point of the checkpoint if it doesnt update anything? oh wait, i just found some of things i thought were missing. ok, now i'm confusing myself. what does the checkpoint do? and what, if anything, is the difference from restoring to the original rp versus the checkpoint? craig |
|
#21
04-14-2006, 12:56 AM
| ||||
| ||||
| OK, 1st things first. If you're not using Norton anymore, it's best to get rid of all of it, as it sometimes causes conflicts with other systems. The uninstaller that comes with the program does not always remove everything (as can be seen from the plethora of Norton/Symantec entries in your HJT log. DO NOT REMOVE THESE USING HJT. Norton makes an Uninstall Tool which will successfully remove it from your system. HERE (Check which version of Ghost you're using, as it also removes one of the earlier (2003) versions, you'd have to re-install it). Zone Alarm usually has a service (023 Entry in HJT) running. O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe Don't see it in your log. (May be worth doing an Uninstall then Re-install of Zone Alarm). As for Windows XP restore points, there seem to be a whole lot of inconsistencies that I can't explain. (Only M$ know, and their description doesn't clarify matters much). When you restore to an earlier restore point, you will usually lose programs that have been installed since that point was created (not all programs seem to be lost, seems to be some complication there that I don't understand), your registry will be set back to the settings as per that time. Usually any updates to programs will be lost (again sometimes not so). Personal files and folders do not seem to be affected in any way. Not helping clarify things I know, truth is I don't fully know. This may explain. Link to tutorial on Sysem Restore Last edited by Gary Richardson; 04-14-2006 at 01:13 AM. |
|
#22
04-14-2006, 01:35 AM
| ||||
| ||||
| gary, re norton av, i agree. and thanks for the link to their uninstaller. and trust me, i'm well aware of poor uninstalls  and regarding zone alarm, look at the running processes section of the log: Quote:
Quote:
i can also say that so far, i can find NO trace of the virus or its components. mssearchnet.exe, nvctrl.exe and all things related to that 'security' thing seem to be gone....with one exception that i just caught earlier tonight and that was a .txt file on my desktop that said 'security guide'. not completely sure if that was part of the other stuff, but when i checked the properties, it did seem like it. so, that one's a bit of a mystery re the restore points. so, all in all, i'm fairly happy again. i will be updating some things and moving some other things. i'd been getting a bit complacent with all this, not being infected (that i knew of) for quite a while now. frankly, i think we're being too easy on these virus creators. we've mostly all been on the defensive. i'd like to see a little offensive. i did see, when i got windows defender, that microsoft is teaming up with some folks regarding viruses and that they want individuals to join their club also. i think this is a pretty good idea. i can see a new wave of 'security partners' coming in the future that are likely going to be more aggressive on all this. microsoft and others have always been slow to get the message about what's going on, but hackers, crackers, script kiddies and others might want to get clean now. when the big boys like microsoft really set their sights on something they can bring an awful lot of clout to the table. and just as a side note, can you imagine ole bill getting this same virus or sasser or blaster on his home machine? how embarrassing would that be?  craig |
|
#23
04-14-2006, 09:17 AM
| ||||
| ||||
| overlooked the other Zone Lab running processes, (expected to see them as services, so didn't look for them there) partly due to the fact that my auto check had marked them as valid entries. I was concentrating on looking for rogue entries at that point. I'm still curious as to why C:\WINDOWS\system32\ZoneLabs\vsmon.exe is not showing as a running service (don't like discrepancies). It's probably been disabled by the infection (they often disable firewalls to make access to your computer easier). Click Start > Run and type services.msc scan down, and you should find a service called TrueVector Internet Monitor double click on it to open properties, and check it's set to Auto check also that its "Service Status" is Started, then click OK. Any problems with this let me know. |
|
#24
04-14-2006, 12:20 PM
| ||||
| ||||
| gary, again, thanks. on this: Quote:
also, i ran another scan and log last night because i wanted to get mozilla back as my default browser. i also hadnt run i.e. since the restore either. so, the log has changed just a bit because of these: Logfile of HijackThis v1.99.1 Scan saved at 1:12:11 PM, on 4/14/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe P:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\System32\GEARSec.exe H:\Program Files\Norton Ghost\Agent\VProSvc.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\WINDOWS\System32\hphmon05.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe F:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe C:\WINDOWS\MXOALDR.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe H:\Program Files\Norton Ghost\Agent\GhostTray.exe P:\Program Files\Abyss Web Server\abyssws.exe P:\Program Files\Abyss Web Server\abyssws.exe C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe H:\Program Files\TraySoft\PhoneTray\PhoneTray.exe C:\Program Files\Dantz\Retrospect\retrorun.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe I:\Program Files\VMware\VMware Player\vmware-authd.exe C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\WINDOWS\system32\BRMFRSMG.EXE C:\WINDOWS\System32\HPZipm12.exe F:\Program Files\mozilla.org\Mozilla\mozilla.exe J:\HijackThis-1-99-1\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.retouchpro.com/"); (C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js) N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://F%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [Norton Ghost 10.0] "H:\Program Files\Norton Ghost\Agent\GhostTray.exe" O4 - HKCU\..\Run: [AbyssWebServer] P:\Program Files\Abyss Web Server\abyssws.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &NeoTrace It! - F:\NEOTRA~1\NEOTRA~1\NTXcontext.htm O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - F:\NEOTRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU) O15 - Trusted Zone: http://free.aol.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136317380093 O17 - HKLM\System\CCS\Services\Tcpip\..\{F6F84C87-59F2-4E53-A3FB-87340C392D64}: NameServer = 205.152.37.23,205.152.132.23 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - P:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Unknown owner - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe (file missing) O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Norton Ghost - Symantec Corporation - H:\Program Files\Norton Ghost\Agent\VProSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - I:\Program Files\VMware\VMware Player\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe for instance, not sure how that 'aol' thing got in there. i also dont need the 'Directway' thing in there any more. that's from my old satellite internet, which i no longer use. but, all in all, it still looks pretty clean to me. craig |
|
#25
04-14-2006, 01:55 PM
| ||||
| ||||
| If you want to get rid of the AOL in your IE Trusted Zone, just run a scan with HJT, check it, then click on Fix Checked to remove it. The O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Unknown owner - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe (file missing) is a little more involved. You can't just check it in HJT to remove it. 1st we have to stop the service, and then remove it, finally remove the file. Sorry, time for another "canned" speech (I've got loads). We need to stop a service...
Quote:
Let's delete that service
Quote:
Now delete this folder. C:\PROGRAM FILES\DIRECWAY Rest of the log looks clean. (obviously these aren't malicious entries, just unwanted ones). As a point of information, although HJT says the Direcway file is missing, HJT is unreliable in this regard with all but the 02 & 03 entries. |
|
#26
04-15-2006, 12:33 AM
| ||||
| ||||
| gary, thanks. i'll work on those tomorrow. today, at least this evening, i've been working on updating my security. got and re-installed the newer win patrol. got and installed again, task catcher. got and installed spybot s&d with teatimer. ran spybot and it found over 30 items. cute. mostly, these were dead items and non-working fragments of old spyware or other malicious junk. nontheless, i removed most of them. i didnt remove 2. one is 'cyberview', which is software that i'm pretty sure came with my negative scanner. it's a twain/usb device and the software to go with it. not sure why spybot saw that as a threat... but i'll check into it more tomorrow. also downloaded, but didnt install, some items from the spybot site that looked kind of interesting. his regalyzer, filealyzer and i think one other. havent installed those and they're not strictly speaking, security items, but looked kind of interesting. (i'm a download junkie). anyways, the system seems to be running ok. i shld probably do a registry cleaning also after all this. i think i have 'regclean' somewhere. if you know of a better one or have any comments on that one, i'd love to hear it. again, thanks! and i'll try to be more security conscious in the future. craig |
|
#27
04-15-2006, 09:48 AM
| ||||
| ||||
| Hi Craig, This is what I usually suggest to secure a computer. (Based on a user who uses IE as their browser). Personally I use Firefox with the No Script and Site Advisor plugins. (You still need to secure IE). (Suggestions, yet another "canned" speech (does this boy have no end of these)). Updating Windows and Internet Explorer IMPORTANT: You need to update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates. If you're running Microsoft Office, or any portion thereof, go to Microsoft's Office Update site and make sure you have at least all the critical updates installed. (Free at Microsoft Office Update). Make your Internet Explorer more secure
Last edited by Gary Richardson; 04-15-2006 at 10:13 AM. |
|
#28
04-15-2006, 10:09 AM
| ||||
| ||||
| If you like programs that analyse your system, try Process Explorer by Mark Russinovich, available at |