[RESOLVED] When you have some spare time, please take a look
Results 1 to 7 of 7

Thread: [RESOLVED] When you have some spare time, please take a look

  1. #1
    Join Date
    Jan 2006
    Location
    Tacoma, WA
    Posts
    37

    Resolved [RESOLVED] When you have some spare time, please take a look

    I'm in a small home office environment (6 computer network). One of the computers has been highly neglected from any updates and scans and so forth. The user finally complained enough about the computer doing funny things and running slow that I went and took a look. I have followed the rules given in the HijackThis sticky. I ran all the client side programs in safe mode and lots of stuff got nuked. So the problem I suppose is the system is running really slow. I scanned through the hijack log myself and think that there are at the very least 2 issues: the keyhook.exe and rlvknlg.exe. One of the programs or scans you all suggested detected the rlvknlg.exe and said it was removed (I think) but it is back it would appear. The keylogger lite is on there for a reason, seems to be the only password protected keylogger that is freeware I could find. I use that coupled with googledesktop to monitor the usage of the web on the computers. Since novice users donít suspect googledesktop to be doing anything and rarely know what it is. A freeware solution to monitoring and controlling internet usage would be nice to know of or even a low cost software solution (if you guys could suggest anything). On startup I am also receiving the message box with title: Found EBAPI2 details are as follows: c:\WINNT\system\EBAPI2.dll Windows update is also constantly trying to install update KB823353 (security update for Outlook Express), I think the problem might be the service pack version is incompatible or something. I have no idea what this all means to be honest *shrug*. Iím only an intermediate level computer user that knows how to follow directions well enough. When someone gets the time feel free to give me some suggestions on how to nuke the stuff that isnít good and maybe stuff I should tell the user to deal without to improve system resource usage (I noticed some dumb yahoo junk on there, *rolls eyes*). Thanks for everything you guys do for the inept computer user community out there.

    Logfile of HijackThis v1.99.1
    Scan saved at 10:56:54 AM, on 1/12/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\keyhook.exe
    C:\WINNT\htpatch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\ESPNRunTime\DIGServices.exe
    C:\progra~1\yahoo!\YCentral\YahooCentral.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\winnt\system32\rlvknlg.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Perfect Keylogger Lite\bpk.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Softissimo\Lexibase Pro\exe\L-Express.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
    C:\WINNT\system32\sistray.exe
    C:\Program Files\Softissimo\Lexibase Pro\exe\lexibase.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Documents and Settings\Presidente\Desktop\UTILITIES\Registry&Startup\HijackThis\HjkThs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ajBar BHO - {5A074B21-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: XBTB09580 Class - {FFDA4F6F-2EA3-4942-9420-E42880965A3A} - C:\PROGRA~1\WORDRE~1\WORDRE~1.DLL (file missing)
    O3 - Toolbar: Translator - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Program Files\PRMT6\PRMTIE\prmtie.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: WordReferenceEsEn - {5776A2BC-D803-47F6-9DC0-8344DB8D604C} - C:\Program Files\WordReferenceEsEn\wordreferenceEsEn.dll (file missing)
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
    O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
    O3 - Toolbar: &Ask Jeeves - {5A074B29-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\System32\keyhook.exe
    O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [EPSON Stylus C83 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I4D1.EXE /P23 "EPSON Stylus C83 Series" /O6 "USB001" /M "Stylus C83"
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [\\FOS\EPSON Stylus C83 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I4D1.EXE /P29 "\\FOS\EPSON Stylus C83 Series" /O6 "USB002" /M "Stylus C83"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
    O4 - HKLM\..\Run: [YCentral] c:\progra~1\yahoo!\YCentral\YahooCentral.exe
    O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
    O4 - HKLM\..\Run: [RelevantKnowledge] c:\winnt\system32\rlvknlg.exe -boot
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [BPK] C:\Program Files\Perfect Keylogger Lite\bpk.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    O4 - Global Startup: Lexibase Express.lnk = C:\Program Files\Softissimo\Lexibase Pro\exe\L-Express.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Search - http://speedbar.ask.com/menusearch.html?p=4
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Save To MyJeeves - res://C:\Program Files\AskJeeves\bar\bin\saveit.ocx/imageit.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\PRMT6\PRMTIE\prmtie5.htm
    O9 - Extra 'Tools' menuitem: Translate - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\PRMT6\PRMTIE\prmtie5.htm
    O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\PRMT6\PRMTIE\options.htm
    O9 - Extra 'Tools' menuitem: Customize translation options - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\PRMT6\PRMTIE\options.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
    O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    Share on Google+

  2. #2
    Join Date
    Nov 2005
    Location
    New Hampshire USA
    Posts
    178
    MikeCan,
    You may want to print this out, or save it as a Notepad document on your Desktop, since you won't have Internet access in Safe Mode.
    -----------------------------------------------------------
    Use Add/Remove Programs In Control Panel
    From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
    Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

    RelevantKnowledge
    AskJeeves
    WORDRE~1
    <== you fill in the real name
    Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
    -----------------------------------------------------------
    Set Your Computer to Show All Files
    Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. In addition, if you have Windows XP, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
    -----------------------------------------------------------
    Start Your Computer in Safe Mode.
    Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list.
    In some systems, this may be the F5 key, so try that if F8 doesn't work.
    -----------------------------------------------------------
    Close all open windows/programs/folders. Have Nothing else open while ewido performs its scan!.
    It's extremely important not to open any windows while the scan is in progress.
    Now Run Ewido
    * Click on scanner
    * Click on Settings
    * Under "How to scan" all boxes should be selected
    * Under "Possibly unwanted software" all boxes should be selected
    * Under "What to scan" select scan every file
    * Click OK
    * Click on Complete system scan
    * Let the program scan the machine
    * If ewido finds anything, it will pop up a notification.
    * Let it fix whatever it finds
    Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
    * Click Save report
    * Save the report to your desktop
    * Exit ewido
    When you compose your reply, paste the contents of the report into it..
    -----------------------------------------------------------
    Reboot into Normal Mode
    -----------------------------------------------------------
    Remove log items with HighjackThis. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
    Click Scan. When the Scan is complete, Check the following entries:
    (Some of these lines may be missing)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...rch/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie...//www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie...//www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...rch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie...//www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie...//www.yahoo.com

    O2 - BHO: ajBar BHO - {5A074B21-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll
    O2 - BHO: XBTB09580 Class - {FFDA4F6F-2EA3-4942-9420-E42880965A3A} - C:\PROGRA~1\WORDRE~1\WORDRE~1.DLL (file missing)
    O3 - Toolbar: &Ask Jeeves - {5A074B29-F830-49de-A31B-5BB9D7F6B407} - C:\Program Files\AskJeeves\bar\bin\ajBar.dll
    O4 - HKLM\..\Run: [RelevantKnowledge] c:\winnt\system32\rlvknlg.exe -boot
    O8 - Extra context menu item: Save To MyJeeves - res://C:\Program Files\AskJeeves\bar\bin\saveit.ocx/imageit.html

    Make certain all other windows are closed, and click Fix Checked
    -----------------------------------------------------------
    Start Your Computer in Safe Mode Again
    Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list. In some systems, this may be the F5 key, so try that if F8 doesn't work. Additional Info is here: http://www.computerhope.com/issues/chsafe.htm
    -----------------------------------------------------------
    File Deletion.
    In Windows Explorer, navigate to these files ands folders. Use Find (F3) or Start, Search if the folder is not shown; then Delete these, if present:
    C:\Program Files\AskJeeves\
    C:\PROGRAM FILES\WORDRE~1\
    <== you supply the real folder name
    c:\winnt\system32\rlvknlg.exe<== this file only
    If you have any problem deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
    If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the filename is in there, click End Process, then retry Delete.
    Note the name and location of any file you cannot delete.
    -----------------------------------------------------------
    Post a New HJT Log
    Reboot your computer. Start HijackThis. Click Do System Scan and Save a Log File.
    When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply, along with the Ewido log.

    askey127
    Share on Google+

  3. #3
    Join Date
    Jan 2006
    Location
    Tacoma, WA
    Posts
    37
    Thank you for the info. I followed all the instructions.

    Here is the ewido log:

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 1:49:32 PM, 1/13/2006
    + Report-Checksum: 40D999AD

    + Scan result:

    HKLM\SOFTWARE\Blazing Tools\Perfect Keylogger -> Logger.PerfectKeylogger : Cleaned with backup
    HKLM\SOFTWARE\Blazing Tools\Perfect Keylogger\1.0 -> Logger.PerfectKeylogger : Cleaned with backup
    HKU\S-1-5-21-1757981266-343818398-839522115-1004\Software\Blazing Tools\Perfect Keylogger -> Logger.PerfectKeylogger : Cleaned with backup
    HKU\S-1-5-21-1757981266-343818398-839522115-1004\Software\Blazing Tools\Perfect Keylogger\1.0 -> Logger.PerfectKeylogger : Cleaned with backup
    C:\Documents and Settings\Presidente\Cookies\presidente@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Presidente\Cookies\presidente@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\Presidente\Cookies\presidente@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
    C:\Documents and Settings\Presidente\Cookies\presidente@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\Presidente\Cookies\presidente@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\Presidente\Cookies\presidente@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
    C:\Program Files\Perfect Keylogger Lite\bpk.exe -> Logger.Perflogger.a : Cleaned with backup
    C:\Program Files\Perfect Keylogger Lite\bsdhooks.dll -> Logger.Perfectkeylogger.10 : Cleaned with backup
    C:\Program Files\Perfect Keylogger Lite\lview.exe -> Logger.Perfectkeylogger.10 : Cleaned with backup
    C:\Program Files\Perfect Keylogger Lite\uninstall.exe -> Logger.Perfectkeylogger.10 : Cleaned with backup


    ::Report End
    --------------------------------------------------------------------------
    I decided I would either look for another program or just reinstall key logger lite. Here is the Hijack log:

    --------------------------------------------------------------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 2:25:44 PM, on 1/13/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\keyhook.exe
    C:\WINNT\htpatch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\progra~1\yahoo!\YCentral\YahooCentral.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\ClamWin\bin\ClamTray.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Softissimo\Lexibase Pro\exe\L-Express.exe
    C:\WINNT\system32\sistray.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Softissimo\Lexibase Pro\exe\lexibase.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Documents and Settings\Presidente\Desktop\UTILITIES\Registry&Startup\HijackThis\HjkThs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Translator - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Program Files\PRMT6\PRMTIE\prmtie.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\System32\keyhook.exe
    O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [YCentral] c:\progra~1\yahoo!\YCentral\YahooCentral.exe
    O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [BPK] C:\Program Files\Perfect Keylogger Lite\bpk.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    O4 - Global Startup: Lexibase Express.lnk = C:\Program Files\Softissimo\Lexibase Pro\exe\L-Express.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Search - http://speedbar.ask.com/menusearch.html?p=4
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\PRMT6\PRMTIE\prmtie5.htm
    O9 - Extra 'Tools' menuitem: Translate - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\PRMT6\PRMTIE\prmtie5.htm
    O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\PRMT6\PRMTIE\options.htm
    O9 - Extra 'Tools' menuitem: Customize translation options - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\PRMT6\PRMTIE\options.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
    O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    Let me know if I need to take care of anything else. Thanks a bunch.
    Share on Google+

  4. #4
    Join Date
    Nov 2005
    Location
    New Hampshire USA
    Posts
    178
    MikeCan,

    Nice Work. Looks pretty good. I was afraid some of it wouldn't go, since we didn't disable Teatimer first. I think you're OK. Let me suggest a few things to improve security going forward:
    -----------------------------------------------------------
    Download and install CCleaner from here.
    Set Options in CCleaner and run Cleaning Scan. Open the CCleaner program.
    ( Do not use the Issues block to clean anything with this program. It is for registry detail experts only and it is risky).
    • Select all Temp Files for Removal.
      Click on the Options block on the left. Select Advanced.
      Uncheck "Only delete files in Windows Temp folders older than 48 hours".
    • Set Cookie Retention.
      Click on the Options block on the left, then choose Cookies.
      Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
    • Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
      Check everything Except Autocomplete Form History and the Advanced part of the Menu. Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
    • Reset Temp File Removal for Regular Use.
      Click on the Options block on the left. Select the Advanced button.
      Check "Only delete files in Windows Temp folders older than 48 hours".
      Click on the Custom button.
    • Set CCleaner to Run When Computer Starts. Click on the Options block on the left, then choose Settings. Check Run Ccleaner when computer starts.

    -----------------------------------------------------------
    Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs. Available from http://www.javacoolsoftware.com/spywareblaster.html
    After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.
    -----------------------------------------------------------
    Download and Install a HOSTS File
    A Hosts file is a plain text file which prevents your computer from connecting to malware and spyware sites by redirecting the connection request to 127.0.0.1, which is your local address. If you use a proxy server, or if you are on AOL, be sure to read the special instructions.
    You can download the MVPS Hosts File and see a HOSTS file tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
    This website also contains useful tips, and links to other resources and utilities.

    askey127
    Share on Google+

  5. #5
    Join Date
    Jan 2006
    Location
    Tacoma, WA
    Posts
    37
    Thanks askey! I actually already have CCleaner and have used it on the computer already. I also installed spyware blaster as suggested by some other site a while back (dunno if I should have done that after cleaning everything up or not *shrug*). I downloaded a host file from somewhere, but don't remember where,heh, and never installed it. I'm gonna find out where I got it from and if it is legit Ill install it. Thanks for the help... ok just found out where I got the host file, happens to be the same website you pointed me at! Hey I feel special, I was already taking the steps to making the computer safer without a tech guru telling me how too... I do have hope. (technically a tech guru did tell me I just read it in a tutorial, but still...ok I'm done.) Thanks for everything!
    Share on Google+

  6. #6
    Join Date
    Nov 2005
    Location
    New Hampshire USA
    Posts
    178
    Mike,
    Just so you know, the HOSTS file is updated fairly often, so I'd suggest using the latest one from the site. The villains out there keep inventing new website names to avoid identification.

    Again, good luck, and good work. You did it.

    askey127
    Share on Google+

  7. #7
    Join Date
    Feb 2004
    Location
    Mandurah, Western Australia
    Posts
    10,157
    This thread is now closed. If you need it reopened, please send a PM to one of our Mods.

    Include the link to the thread and detail why you need it reopened.

    If this is not your thread please start a New Topic.
    Share on Google+

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •