1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Something is not right. [HJT Log]

Discussion in 'Malware and Virus Removal Archive' started by Nicarlo, 2006/11/20.

  1. 2006/11/20
    Nicarlo

    Nicarlo Inactive Thread Starter

    Joined:
    2006/10/30
    Messages:
    5
    Likes Received:
    0
    I am running a windows 2000 advance server on one of my computers here.. lately ive been getting a bunch of popups and after running my Anti-virus (symantec) i get no viruses so then i run spybot search and destroy and i get no spyware but im still getting popups.

    i ran a hijackthis and this is what i got. There are a few things that do not seem normal ( in bold )

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Edd
    ÉèÖõ¯³Ã¶Ã’³ÃƒÃ¦=T.B.A+hxxp://125.243.255.253/home.htm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinBackup Scheduler] C:\Program Files\LIUtilities\WinBackup\wbsched.exe
    O4 - HKLM\..\Run: [MSConfigs] c:\autoback\svchost.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
    O4 - HKLM\..\Run: [MSUPDATE] xxx.LookSoft.Net.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: VersionBackup.lnk = C:\Program Files\VersionBackup\VersionBackup.exe
    O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - C:\WINNT\System32\shdocvw.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137958758156
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1A1AEF20-9D13-4FA5-95B9-D8A2E423B5FA}: NameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3D000AE5-D628-49D4-93DB-0F69E0675AD5}: NameServer = 192.168.1.1
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O23 - Service: Active HelpAssistant - Unknown owner - C:\WINNT\IIS\iisset (file missing)
    O23 - Service: Backup Exec 8.x Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
    O23 - Service: Backup Exec 8.x Alert Server (BackupExecAlertServer) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\alertServer.exe
    O23 - Service: Backup Exec 8.x Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
    O23 - Service: Backup Exec 8.x Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
    O23 - Service: Backup Exec 8.x Naming Service (BackupExecNamingService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
    O23 - Service: Backup Exec 8.x Notification Server (BackupExecNotificationServer) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\nsvr.exe
    O23 - Service: Backup Exec 8.x Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINNT\system32\CBA\pds.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: regsnthelp - Unknown owner - C:\WINNT\system32\regst.exe
    O23 - Service: Reporting Agents (Reporting) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
    O23 - Service: Regedits Helps (Windows Regedit Helps) - Unknown owner - C:\WINNT\iis\iesetup.exe (file missing)
    O23 - Service: Windows Help (WinHlp) - Unknown owner - C:\WINNT\system32\Microsoft\Protect\S-1-5-19\lmhosts.exe (file missing)

    Anyone have an idea what i might of catched and how i can solve it ?

    P.S Everytime i reboot i get a prompt for me to install windows premium office and i have to cancel it like 3-4 times before it goes away and then i get a blimps of some sort of program running but then it disapears.
     
    Last edited by a moderator: 2006/11/20
    Nicarlo,
    #1
  2. 2006/11/20
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Hi and welcome back.:confused:

    Definately got a few oddballs there.

    Lets attack them and see how they like removal. As this is a server, you will see a couple of items in red, as I'm not sure if these were installed by you or not.

    Below you will find my results and recommendations from your HijackThis! log file analysis. Please read ALL instructions carefully BEFORE proceeding.


    Go to: Start > Run > type " services.msc ", then click OK

    Scroll down to the Active HelpAssistant service.

    Click it to highlight it, then <right-click> and select: Properties
    Select and set "Service Status" option to "Stop"
    Select: "Startup type" and set it to "Disabled ", click Apply, then OK.

    Perform the same steps as above with these other services:
    regsnthelp
    Regedits Helps (Windows Regedit Helps)
    Windows Help (WinHlp)

    Then Download combofix.exe
    • Double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    Then Run HJT, and place a check next to the following lines(if found), then, with all browsers and windows closed, hit 'Fix checked':

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Edd
    ÉèÖõ¯³Ã¶Ã’³ÃƒÃ¦=T.B.A+hxxp://125.243.255.253/home.htm


    O4 - HKLM\..\Run: [MSConfigs] c:\autoback\svchost.exe

    O4 - HKLM\..\Run: [MSUPDATE] xxx.LookSoft.Net.exe


    O23 - Service: Active HelpAssistant - Unknown owner - C:\WINNT\IIS\iisset (file missing)

    O23 - Service: regsnthelp - Unknown owner - C:\WINNT\system32\regst.exe

    O23 - Service: Regedits Helps (Windows Regedit Helps) - Unknown owner - C:\WINNT\iis\iesetup.exe (file missing)

    O23 - Service: Windows Help (WinHlp) - Unknown owner - C:\WINNT\system32\Microsoft\Protect\S-1-5-19\lmhosts.exe (file missing)

    Reboot, into safe mode, this way:
    Turn on your computer.
    Press the <F8> key, as soon as you see the message: For troubleshooting and advanced startup options for Windows 2000, press F8.
    The Windows 2000 Advanced Options Menu appears.
    Safe Mode should be highlighted by default, if not, using the arrow keys, highlight it and press the <Enter> key.

    Also, enable the 'Show Hidden Folders' option, like this:
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Click OK.

    And search for then delete, if found, the following files/folders(some may not be present after previous steps):
    c:\autoback<<<--this folder *If known to be good, ignore
    LookSoft.Net.exe<<<--this file
    C:\WINNT\iis<<<<---this folder
    C:\WINNT\system32\Microsoft\Protect\S-1-5-19<<<<---this folder **Please check contents of this folder before deleting. On my W2KPro box, I have S-1-5-18, but not 19 as you have. Make sure it is indeed a rogue, or just delete the 'lmhosts.exe' file

    To exit Safe Mode, click the Start button, click Shutdown, click Restart The Computer, and click Yes.

    Post a new HJT log back into this thread please.
     
    TeMerc,
    #2


  3. to hide this advert.

  4. 2006/11/20
    Nicarlo

    Nicarlo Inactive Thread Starter

    Joined:
    2006/10/30
    Messages:
    5
    Likes Received:
    0
    Administrator - Mon 11/20/2006 14:49:41.12 Service Pack 4
    ComboFix 06.11.19 - Running from: "C:\Documents and Settings\Administrator.PRIMARY\Desktop "

    ((((((((((((((((((((((((((((((( Files Created from 2006-10-20 to 2006-11-20 ))))))))))))))))))))))))))))))))))


    2006-11-20 11:05 33,792 --a------ C:\WINNT\ieuninst.exe
    2006-11-20 10:44 89,600 -r-hs---- C:\WINNT\system32\Www.LookSoft.Net2932.dll
    2006-11-20 09:12 89,600 -r-hs---- C:\WINNT\system32\Www.LookSoft.Net597.dll
    2006-11-20 09:08 89,600 -r-hs---- C:\WINNT\system32\Www.LookSoft.Net8407.dll
    2006-11-19 22:25 89,600 -r-hs---- C:\WINNT\system32\Www.LookSoft.Net705.dll
    2006-11-19 11:59 89,600 -r-hs---- C:\WINNT\system32\Www.LookSoft.Net4747.dll
    2006-11-18 20:40 89,600 -r-hs---- C:\WINNT\system32\Www.LookSoft.Net820.dll
    2006-11-18 20:40 89,600 -r-hs---- C:\WINNT\system32\Www.LookSoft.Net4256.dll
    2006-11-18 12:10 89,600 -r-hs---- C:\WINNT\system32\Www.LookSoft.Net3722.dll
    2006-11-18 12:09 89,600 -r-hs---- C:\WINNT\system32\Www.LookSoft.Net1617.dll
    2006-11-18 12:07 89,600 -r-hs---- C:\WINNT\system32\Www.LookSoft.Net3186.dll
    2006-11-17 17:52 48,816 --a------ C:\WINNT\system32\S32EVNT1.DLL
    2006-11-17 17:52 109,744 --a------ C:\WINNT\system32\drivers\SYMEVENT.SYS
    2006-11-17 17:51 <DIR> d-------- C:\WINNT\system32\CBA
    2006-11-17 13:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2006-11-17 13:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2006-11-17 11:53 <DIR> d-------- C:\DrWatson
    2006-11-16 08:24 89,600 -r-hs---- C:\WINNT\system32\Www.LookSoft.Net6715.dll
    2006-11-16 08:14 89,600 -r-hs---- C:\WINNT\system32\Www.LookSoft.Net2728.dll
    2006-11-16 04:09 89,600 -r-hs---- C:\WINNT\system32\Www.LookSoft.Net2025.dll
    2006-11-15 21:11 89,600 -r-hs---- C:\WINNT\system32\Www.LookSoft.Net8609.dll
    2006-11-15 09:31 89,600 -r-hs---- C:\WINNT\system32\Www.LookSoft.Net313.dll
    2006-11-15 00:23 89,600 -r-hs---- C:\WINNT\system32\Www.LookSoft.Net0.dll
    2006-11-13 08:53 89,600 -r-hs---- C:\WINNT\system32\Www.LookSoft.Net.dll
    2006-11-13 08:53 52,676 --a------ C:\WINNT\system32\Www.LookSoft.Net.exe
    2006-11-13 02:26 <DIR> d-------- C:\autoback


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-11-20 11:10 -------- d-a------ C:\Program Files\SAV
    2006-11-20 11:05 -------- d-ah----- C:\Program Files\Uninstall Information
    2006-11-20 11:05 -------- d-a------ C:\Program Files\Outlook Express
    2006-11-20 11:05 -------- d-a------ C:\Program Files\Internet Explorer
    2006-11-20 11:05 -------- d-a------ C:\Program Files\Common Files\System
    2006-11-20 11:05 -------- d-------- C:\Program Files\VersionBackup
    2006-11-17 17:54 -------- d-a------ C:\Program Files\Common Files\Symantec Shared
    2006-11-17 17:52 -------- d-a------ C:\Program Files\Symantec
    2006-11-17 17:51 -------- d-a------ C:\Program Files\Common Files\Microsoft Shared
    2006-09-27 20:35 83752 --a------ C:\WINNT\system32\pds.dll
    2006-09-27 20:35 83752 --a------ C:\WINNT\system32\nts.dll
    2006-09-27 20:35 46896 --a------ C:\WINNT\system32\msgsys.dll
    2006-09-27 20:33 43760 --a------ C:\WINNT\system32\NavLogon.dll
    2006-09-22 13:50 97184 --a------ C:\WINNT\system32\rnuninst.exe
    2006-09-22 10:23 5181 --a------ C:\WINNT\system32\svchest.exe
    2006-09-22 08:06 -------- d-------- C:\Program Files\WinRAR
    2006-09-21 11:43 -------- d--h----- C:\Program Files\InstallShield Installation Information
    2006-09-21 00:00 -------- d-------- C:\Documents and Settings\Administrator.PRIMARY\Application Data\SB-AW
    2006-09-20 11:11 -------- d-------- C:\Documents and Settings\Administrator.PRIMARY\Application Data\Help
    2006-09-20 11:10 -------- d-a------ C:\Program Files\Common Files
    2006-09-20 11:10 -------- d---s---- C:\Documents and Settings\Administrator.PRIMARY\Application Data\Microsoft
    2006-08-30 23:49 10 --a------ C:\WINNT\system32\regst.bat


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "WinBackup Scheduler "= "C:\\Program Files\\LIUtilities\\WinBackup\\wbsched.exe "
    "ccApp "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
    "vptray "= "C:\\PROGRA~1\\SAV\\VPTray.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "NoChange "= "1 "
    "Installed "= "1 "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed "= "1 "

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion "=dword:00000110
    "DeskHtmlMinorVersion "=dword:00000003
    "Settings "=dword:00000001
    "GeneralFlags "=dword:00000005

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source "= "About:Home "
    "SubscribedURL "= "About:Home "
    "FriendlyName "= "My Current Home Page "
    "Flags "=dword:00002002
    "Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState "=hex:04,00,00,40
    "OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
    ff,ff,04,00,00,00
    "RestoredStateInfo "=hex:18,00,00,00,f0,01,00,00,b5,00,00,00,80,00,00,00,76,00,\
    00,00,01,00,00,00

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Www.LookSoft.Net.exe "= "C:\\WINNT\\system32\\Www.LookSoft.Net.exe "

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "^SetupICWDesktop "= "C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
    "{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000095

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "disablecad "=dword:00000000
    "dontdisplaylastusername "=dword:00000000
    "legalnoticecaption "=" "
    "legalnoticetext "=" "
    "shutdownwithoutlogon "=dword:00000000

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "ShowSuperHidden "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun "=dword:00000095

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "Network.ConnectionTray "= "{7007ACCF-3202-11D1-AAD2-00805FC1270E} "
    "WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
    "SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll "


    Contents of the 'Scheduled Tasks' folder
    C:\WINNT\tasks\Daily backup.job
    C:\WINNT\tasks\incremidal.job

    Completion time: Mon 2006-11-20 14:50:14.65
    C:\ComboFix.txt ... 06-11-20 14:50



    ----------------------------------------------------

    Here is the HJ log after i rebooted in safemode.
    I think it looks a lot better.. tell me what you think.



    Logfile of HijackThis v1.99.1
    Scan saved at 5:44:32 PM, on 11/20/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\termsrv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\Program Files\SAV\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\CBA\pds.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\System32\sfmprint.exe
    C:\WINNT\system32\ntfrs.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\snmp.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\SAV\Rtvscan.exe
    C:\WINNT\system32\tlntsvr.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\wins.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SAV\VPTray.exe
    C:\Documents and Settings\Administrator.PRIMARY\Desktop\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinBackup Scheduler] C:\Program Files\LIUtilities\WinBackup\wbsched.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - C:\WINNT\System32\shdocvw.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137958758156
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1A1AEF20-9D13-4FA5-95B9-D8A2E423B5FA}: NameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3D000AE5-D628-49D4-93DB-0F69E0675AD5}: NameServer = 192.168.1.1
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINNT\system32\CBA\pds.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: regsnthelp - Unknown owner - C:\WINNT\system32\regst.exe
    O23 - Service: Reporting Agents (Reporting) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
     
    Nicarlo,
    #3
  5. 2006/11/20
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Ok, we're not quite done, still need to rid those ww files.

    1) Please download the Killbox.
    Save it to the desktop and run it.

    2) Select "Delete on Reboot ", and then select "All files ".

    3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
    C:\WINNT\system32\Www.LookSoft.Net2932.dll
    C:\WINNT\system32\Www.LookSoft.Net597.dll
    C:\WINNT\system32\Www.LookSoft.Net8407.dll
    C:\WINNT\system32\Www.LookSoft.Net705.dll
    C:\WINNT\system32\Www.LookSoft.Net4747.dll
    C:\WINNT\system32\Www.LookSoft.Net820.dll
    C:\WINNT\system32\Www.LookSoft.Net4256.dll
    C:\WINNT\system32\Www.LookSoft.Net3722.dll
    C:\WINNT\system32\Www.LookSoft.Net3186.dll
    C:\WINNT\system32\Www.LookSoft.Net6715.dll
    C:\WINNT\system32\Www.LookSoft.Net2728.dll
    C:\WINNT\system32\Www.LookSoft.Net2025.dll
    C:\WINNT\system32\Www.LookSoft.Net8609.dll
    C:\WINNT\system32\Www.LookSoft.Net313.dll
    C:\WINNT\system32\Www.LookSoft.Net0.dll
    C:\WINNT\system32\Www.LookSoft.Net.dll
    C:\WINNT\system32\Www.LookSoft.Net.exe
    C:\WINNT\system32\Www.LookSoft.Net.exe


    4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

    5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

    Reboot and run ComboFix first, then HJT and post both logs back into this thread.
     
    TeMerc,
    #4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...