need help removing service
| Author |
Message |
tiggertekah
Joined: 16 May 2006
Posts: 1
|
 Post subject: need help removing service |
 |
|
It's the last line that has me concerned; that an 020 Winlogon Notify -- the actual dll file changes with every boot.
I have a severely crippled computer.
Thanks for your help!
Logfile of HijackThis v1.99.1
Scan saved at 6:37:16 AM, on 5/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpamWeed\swengine.exe
C:\Program Files\SpamWeed\addinoe\addinoe.exe
C:\program installers\bots\HijackThis.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: AOL Instant Messenger.lnk = C:\Program Files\AIM\aim.exe
O4 - Startup: Eudora.lnk = C:\Program Files\Qualcomm\Eudora\Eudora.exe
O4 - Global Startup: mappin.bat
O4 - Global Startup: SpamWeed .lnk = C:\Program Files\SpamWeed\swengine.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = JENCEN.local
O17 - HKLM\Software\..\Telephony: DomainName = JENCEN.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = JENCEN.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = JENCEN.local
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\f82mlif1182.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmVyb21lIE0gUm90aGVuYmVyZw\command.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Userinit Logon Verification (UsrInitVerif) - Unknown owner - C:\WINDOWS\userinit.exe |
|
Tue May 16, 2006 3:45 pm
 |
|
 |
HJT Analyzer
Joined: 15 Mar 2006
Posts: 663
|
| Post subject: My HijackThis log |
|
|
Hello, visitor!
The Hijack This log analyzer has analyzed your log. Please take a closer look on the results.
Your system seems to be infected with malicious parasites. Please follow the steps below in order to eliminate the infection and clean up your computer.
1. Download the Pocket KillBox utility. You will need it later to delete parasite-related files and folders.
2. Use HijackThis to fix the following entries:
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmVyb21lIE0gUm90aGVuYmVyZw\command.exe3. The following entries are not malicious, but some of them are not used anymore. You may use HijackThis to fix a few of them. However, please keep in mind that some of the entries marked as Questionable or Not Needed are fully legitimate and might be required by installed software to work properly, while some others might be related to certain parasites. It is up to you to decide whether you need any of them, or not.
O4 - Global Startup: mappin.bat
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = JENCEN.local
O17 - HKLM\Software\..\Telephony: DomainName = JENCEN.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = JENCEN.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = JENCEN.local4. Now restart your system in Safe Mode. This step is very important!
5. Use the Pocket KillBox utility to delete the following files:
C:\WINDOWS\SmVyb21lIE0gUm90aGVuYmVyZw\command.exe
The following files and Windows registry entries are marked as "unknown". Currently, the HijackThis Log Analyzer cannot provide required information on these items. The files and entries in the list below can be both malicious and fully legitimate. Because of this, please do not take any action! Wait for the forum responders or other forum users to provide you with necessary details and further instructions.
C:\Program Files\SpamWeed\swengine.exe
C:\Program Files\SpamWeed\addinoe\addinoe.exe
O4 - Startup: Eudora.lnk = C:\Program Files\Qualcomm\Eudora\Eudora.exe
O4 - Global Startup: SpamWeed .lnk = C:\Program Files\SpamWeed\swengine.exe
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\f82mlif1182.dll
After going through all the steps, run another HijackThis scan and post a fresh log to the HijackThis analyzer. It is possible that some parasites your system was infected with were not removed completely and may restore themselves later.
If you want to see more detailed analysis of your log, click here.
Thank you for using the 2-Spyware.com HijackThis log analyzer! |
|
Tue May 16, 2006 3:45 pm
|
|
|
1972vet
Joined: 09 Mar 2006
Posts: 47
|
| Post subject: |
|
|
Please download Look2Me-Destroyer.exe to your desktop.
* Close all windows before continuing.
* Double-click Look2Me-Destroyer.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
* When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
* Your computer will then shutdown.
* Turn your computer back on.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
Then you click the Remove L2M button and wait for it to give you a message when you click ok on it it should shut itself down.
Download KILLBOX, extract it to your desktop.
Open killbox.exe.
First, click on Tools>Delete Temp Files.
A box will open with a list of all user profiles.
Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.
Temporary Internet Files
Temp Files
XP Prefetch
If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.
Then, click on the Button titled "Delete Selected Temp Files".
Exit by clicking the Button titled "Exit(Save Settings)"
Once back into the main killbox program, check the following boxes:
Delete on Reboot
Highlight all the entries in the quote box below and then Copy them.
Quote:
C:\WINDOWS\system32\f82mlif1182.dll
C:\WINDOWS\SmVyb21lIE0gUm90aGVuYmVyZw\command.exe
Then in killbox click File>>Paste from Clipboard
At this point the "All Files" button should be enabled so you can click it.
Click the "All Files" button.
Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click no for now.
Note: Killbox will let you know if a file does not exist.
If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until you've completed the instructions below.
Run HijackThis again and put a check in the box next to these entries that may still exist:
O4 - Startup: AOL Instant Messenger.lnk = C:\Program Files\AIM\aim.exe
O4 - Global Startup: mappin.bat
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = JENCEN.local
O17 - HKLM\Software\..\Telephony: DomainName = JENCEN.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = JENCEN.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = JENCEN.local
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\f82mlif1182.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmVyb21lIE0gUm90aGVuYmVyZw\command.exe
Using Windows Explorer locate and delete the following files indicated in Bold text if they still exist:
C:\WINDOWS\system32\f82mlif1182.dll
C:\WINDOWS\SmVyb21lIE0gUm90aGVuYmVyZw\command.exe
Reboot and post back a new hjt log. |
|
Tue May 16, 2006 8:39 pm
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
Recommended software:
Spyware Doctor
 (91/100)
Spyware Doctor is a very powerful, but yet highly user-friendly spyware remover, made by PC Tools, reputable computer security experts. This product provides effective and easy-to-manage...
Malwarebytes Anti Malware
 (89/100)
There are loads of malware removers on the net today and most of them are lightweight applications, which usually means they’re fast and don’t have many features. One such...
Spy Sweeper
 (85/100)
Spy Sweeper is one of the most powerful and effective spyware removers available today. This Webroot Software's product uses unique, patent-pending parasite detection and removal...
Windows Defender
 (80/100)
Windows Defender is a free anti-spyware program made by the leading software company to add native spyware protection to its most popular product - the Microsoft Windows operating...
SUPERAntiSpyware
 (75/100)
SUPERAntiSpyware is a powerful, highly effective spyware remover introducing advanced parasite detection and removal features along with reliable real-time protection. The program is not...
Encyclopedia of parasites:
|
