HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

got Trojan.ByteVerify...

by reedhave / January 21, 2006 3:40 AM PST

..and Nortan removed it. Even though it did, I can not enable my Windows Firewall. It says "For Your seurity, some settings are controlled by Group Policy" I also mus enable the Windows Firewall/ICS Service to open up the firewall program. When I get online, an Internet Gateway is created. It also uses AIM to send a link to others. Also when I connect, Internet Explorer opesn up to niggaz.100free.com/index.html.
How can I remove what is doing this? I have ran Nortan Anitvirus scans, Spbot Search & Destroy, and Ewido. I have a Windows XP SP2 machine.

Thanks

Corey

Discussion is locked
You are posting a reply to: got Trojan.ByteVerify...
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: got Trojan.ByteVerify...
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
I forgot to add...
by reedhave / January 21, 2006 4:33 AM PST

there is a process that is run by SYSTEM called "*****1.exe"

Collapse -
Hi ! I'm Not Really Expert on This but...Normally, Java Byte
by tobeach / January 21, 2006 2:14 PM PST

Verify is only lodged in the 2 Java caches in Sun Java.
Normally this is removed by dumping (emptying) the contents there of. I keep my Java set with Cache disabled to avoid this pest.
I suggest you download & install CCleaner and then AFTER clicking the ''options button''>click ''advanced'' and uncheck the ''only remove temp Internet files older than 48 hours'' (after cleaning you can go and recheck for normal use) run initial scan. After, I would disable caching for a day or two til all seems normal (if you feel you must have it for some reason).
CCleaner cleans both caches (the second one is very hard to locate so J.B.V likes to hide there.
Either Your browser has been Hijacked to to that page, or your outgoing request is being redirected by a Browser Helper Object? After further cleaning, you will be able to reset it in your IE Options & Spybot.
I'm assuming you do in fact have the REAL Norton & Spybot (spelling mistype?) & Ewido.
At this point, if your Ewido is basically recently updated, I would physically disconnect from web (unplug phone line or cable), reboot into Safe Mode and while in Safe Mode run full scan & removal with Ewido. It should be able to remove remains after CCleaner got the java caches.
I would disable AIM in msconfig/Start-up or Services tab &/or in Spybots Tools>Start-up file. That program is a security nightmare much like a P2P.
If you know exactly WHEN you got this, a System Restore to a date before may help reset some of the system setting that have been changed (i.e firewall etc). Your firewall depends on several MS services being running to enable it to function. I can't just now recall which ones they are but they have check boxes in msconfig>startup & services tabs.
The 1st link below is to dwnld CCleaner, the 2nd is a help page you should save to your docs as .txt only file and print out so you'll know what all those items checked for cleaning are ,to use when doing inital settings after install.
Hopefully, by this point you maybe reasonably functional and able to post back w/ results and for further help as needs be.
If nothing else, you'll want to know how to use Spybot S&D in advanced mode so as to lock down some settings to help prevent re-occurrence.
1)http://www.ccleaner.com/
2)http://www.ccleaner.com/help/
The following link (about 1/2 way down under alt. browsers) has in misc, a link on how to get into safe mode as well as links to the real programs (not rogue copies).:


http://reviews.cnet.com/5208-6132-0.html?forumID=32&threadID=114259&messageID=1298628
If not perfect cure yet, at least a solid start and I expect others will also advise as they find their way here. Patience is a virtue & will get you thru (tho hard to come by at the moment). Please post back with results so any lingering bits can be dealt with. Happy

Collapse -
(NT) (NT) I Forgot!: Spybot S&D Also Scans&Removes Byte Verify!
by tobeach / January 21, 2006 2:28 PM PST
Collapse -
You Didn't Say If You Have Sun Java or Only MSs'....
by tobeach / January 21, 2006 3:06 PM PST

version which, at my last look, was full of holes which is why everyone should be using Suns by now. If you have only MSs, it allows deeper penetration into system (which you seem to have). If so, as soon as clean I suggest you go to this link and get Suns version. Since you're SP2, you probably should get version (JRE) 1.50. If that causes you serious problems (not likely but can happen) then you might try J2SE 142_10 (JRE) from 2nd link. Ive seen cases (my daughter) where _10 was fine but 1.50 (also called 5.0) caused frequent crashes. In passing: once you get Sun, you can get alt browser like Mozilla or Firefox).1st check your system specs for minimum. You can do online install, or I prefer dwnld Offline version saved to My Docs so you always have a backup copy on hand.
1) http://www.java.com/en/download/windows_xpi.jsp
2) http://java.sun.com/j2se/1.4.2/download.html
Good Luck! Happy

Collapse -
Corey.. You may find some answers here..
by Carol~ Forum moderator / January 21, 2006 4:17 PM PST

This may help you out in regard to the error message, ''For Your seurity, some settings are controlled by Group Policy''. Are you an administrator? A third of the way down the page you will see:

''How To Determine Whether Windows Firewall is Configured with Group Policy Settings''

If this is not the case, take a look here and see if this doesn't help you out.

When you removed the Trojan, did you follow Norton's Removal Instructions?

If it is necessary to empty Java's cache, you can find some easy, concise instructions here.

Having said all of the above.. and qualifying that I am not a ''removal expert''.. there is something telling me you are dealing with additional issues. All of the above has been researched through Google.

Until such time someone who does recognize your problem see's this, it wouldn't hurt to take a look at the above.

Some light reading for you.. Wink
Carol

(It's possible that your setting's may have been ''changed'' by whatever you're infected with, if not, you should be able to rule out the firewall issue prior to proceeding with your other issues)

Collapse -
Heres more detail..
by reedhave / January 22, 2006 3:01 AM PST

..Norton detected the Trojan in a scan that i ran in safe mode. I tried a system restore beofre that, but it failed. I knew that on another virus that I had to remove manually I had to disable system restore, so I did. As soon as I knew it was sendign information out and was infected I took it off the internet. That was the first thing that I did. I use Firefox all the time for browsing, and the home page is still the same as it should be. I am the administrater for my etwork and computedr, and I have not done anyhtign with network settings for the firewall to be controlled by Group Policy. So, the hijacker is probably controlling my firewall. In order to open my firewall configuration, I have to enable Firewall Sharing/ICS.

What is MSs? (posted by tobeach Also, how would I clear the cache for Java? I cleared its tempary internet files.

On the "WhatIsGroupPolicy page posted by Carol, I tried to open up the group policy, but I think I am doign it wrong because it won't open. On the troubleshootign page that you gave me from Microsoft'd page, it says to use the local comptuer policy snap in to clear the firewall settings. What is the snap-in?

Right now I am running an a-squared scan to see if I can find anything else. I have rn many ewido scans ad that is finding things too.

Thanks for your help,

Corey

Collapse -
Corey.. a very little info....
by Carol~ Forum moderator / January 22, 2006 4:20 AM PST
In reply to: Heres more detail..

In an effort to help you, I think Tobeach may have given you too much information. (IMO) He is probably asking you whether you have Sun's Java, or Microsoft's Virtual Machine. My guess is that you have Sun's Java. Read through the below link. ( In answer to your question about Java's cache..the cache and Java's temporary internet files are one and the same)

http://www.java.com/en/download/help/cache_virus.xml

I wish I could be of more help. What I can do is point you here, where you may be able to find some additional information.

http://www.google.com/search?hl=en&q=Trojan.ByteVerify

You said, ''there is a process that is run by SYSTEM called ''nigga1.exe'' . My uneducated guess is that this may be contributing/adding to your problem. As to how to get rid of it.. I don't have a clue! Sad Sorry.

Good luck..
Carol
(You may also want to take a look here)

Collapse -
My virtual machine is Java...
by reedhave / January 22, 2006 4:33 AM PST

...I checked in my Access and Defaults. Also, I have Java 2 version 1.5.0. Do I need to update to version 6?

Now the process is "*****32.exe." ***** is aso the website that IE opens to when I get online.

-Corey

Collapse -
I have no I dea what those stars are in..
by reedhave / January 22, 2006 4:40 AM PST

..my previous post. I think that is where i put part of the sites name, btu I am not sure. I dont remember putting stars there.

Collapse -
Corey.. the stars..
by Carol~ Forum moderator / January 22, 2006 5:28 AM PST

It used to be, if someone used the word ''f r e e''.. in an address.. it would show up at ****. I've been told that has changed. (It's the only thing I can think of.)

And btw..you have no need to update Java.

Have you made ANY progress.. with the exception of going from 1.exe to 32.exe. Happy (I know it's nothing to smile about.. but thought I'd add a little humor into your frustrating day!)

Carol

Collapse -
Not much Progress..
by reedhave / January 22, 2006 5:46 AM PST
In reply to: Corey.. the stars..

I have ran many scans, ewido, a-squared, spybot S&D, Ad-aware, and Microsoft Anti-Spyware. They all pick up a couple things. My problems is not that I have the trojan, because I believe Norton got rid of it. I believe my problem is what is left form the trojan. I still can't enable my firewall, and it will still send a link to itself to others if I log onto AIM. It also still opens IE and I ahve notcied thaqt the process has not started every time lately. It also still creates an internet gateway.

In your first post, Carol, you gave me a link to a site about the Group Policy and I tried to open the gpedit.msc and I could not. Do you know how I could do that? I entered it into a ''command prompt'' and ''run''.

Thanks,
Corey

Collapse -
Corey.. as a thought..
by Carol~ Forum moderator / January 22, 2006 7:16 AM PST
In reply to: Not much Progress..

I totally understand what you are saying about cleaning up the damage. However, if you're saying nigga32.exe is still on your system, I somehow don't think it should be part of your operating system. I can only tell you what I would do. I would want to be 100% sure my system is clean, before doing anything else. In the time it's taken to run all the scans, it might be worth your while to download HJT and be sure. If you chose to do so, this link will ''get you there''.


http://reviews.cnet.com/5208-6132-0.html?forumID=32&threadID=107213&messageID=1223125

If you chose not to go that route, you can wait and see if someone else can add to this. I'm out of thoughts. Sad Or, if you're totally convinced you are clean and don't get further help here, maybe try another forum - making sure to include this link so people know what you have and haven't tried.

Sorry I can't be of more help..
Carol

Collapse -
Another thing..
by reedhave / January 22, 2006 6:27 AM PST
In reply to: Corey.. the stars..

When ever I get online (meanign pluging in my USB network adapter) and after I take it back off, the internet does not work on other computerson my netowrk, and I have to unplug and plug in my Routher. (D-Link DI-524) I jsut said that incase that helped. Lets concentrate on the issue of my what my comtpeur is dogin though unless it has affected my router somehow.

Corey

Collapse -
If you want to update Java..
by Carol~ Forum moderator / January 22, 2006 9:12 AM PST
Collapse -
Reedhave.. Did You Download & Adjust Advanced>temp...
by tobeach / January 22, 2006 3:52 PM PST

and run CCleaner?? If you did, CCleaner would have found your Mozilla/FF and auto cleaned all temp & caches there as well as Sun Java and IE temp files (plus about 30 other things).
Did you try running Spybot (safe mode)?? Byte Verify is one of its listed targets.
Where , on YOUR computer, are you finding 32*****.exe??
In Process Manager (gotten by pressing control/alt/delete buttons at the same time). Under processes tab are you seeing it listed? If so: Press "stop process" then (without rebooting!!) go to Start>Search>all files & folders and enter the 32*****.exe and let search. When it shows in results, highlite>right click and press delete. Repeat if more than 1 copy found.
Clearly, every time you hit that site/room they're reloading you!!
I don't use AIM so don't know about it...but..Is there a way you can BLOCK that address/url/site?? At the very least, DISABLE AIM since that's the infection path. If you can't, I'd dump AOL.( I refuse to have anything AOL on my computer).
The only time I saw J.B.V. survive a CCleaner run was because it was constantly trying to reload thru a exploit hole in Ms's VM. Tony eventually un-installed Sun Java and then installed an entire fresh copy. He didn't use CCleaner at first to clean the 2 caches. Would have saved him hours of effort.
As far as IE going to the site: In IE Options (in control panel)click Security Tab>click Restricted Sites>click "sites" button. Type in the sites name and click OK . Repeat for each variation of the site name you can guess or know. This should block IE from going there.
I'm sorry but beyond above, I'm also running out of ideas. I suppose after all this you might try running system Error Check to re-install clean copy of system files (assuming that would help your firewall problem)?
I suspect that AIM has its own gateway connection and requires it not be firewalled cause your "contacts" wouldn't be able to contact you? Similar to IM? Don't know other than it's a horror story and there is a patch program for it that issues patches almost daily.
Best of luck. Let us know of results. ConfusedWink

Collapse -
*****1.exe & *****32.exe are in C;
by reedhave / January 23, 2006 1:43 AM PST

The two processe files are right in my c drive. I did found them using Google Desktop, i didnt not see the actually ifles though using windows explorer.

I just ran ccleaner and it didn't find anythign wrong with Sun Java. This is probably because I don't have the trojan anymore, I jsut have the after effects.

It still creates a gateway and it did nt start the process *****1.exe or *****32.exe. Also, IE didnt open to teh web page. I still can't control my firewall though.

I don't run AIM on the comptuer because I know it will send it out.

Should I uninstall SP2 becasue that is were the Firewall is and the reinstall it?


Thanks,
Corey

Collapse -
Good Grief
by doingthis2long / January 22, 2006 8:59 PM PST

Run Microsoft Antispyware on the machine one time. Dump Norton Antivirus. Download AVG Free Antivirus from free.grisoft.com. Scan your computer once with this as well. Rescan with Antispyware and then rescan with AVG.

Collapse -
Cory..Glad to see you posted..
by Carol~ Forum moderator / January 23, 2006 3:40 AM PST

in the Windows XP Forum. You failed to mention you already had a HJT log analyzed in any of these posts. (Now.. I know why you were so sure you were ''clean''. ;))

Anyway.. good luck to you. Post back if.. and yes ''when''.. you get things straightened out.

Sincerely,
Carol

Collapse -
So, Should I Reinstall SP2?
by reedhave / January 23, 2006 7:43 AM PST

Because this firewall is built into SP2, should I uninstall ir and install it again? I ahve reinstalled it before due to another problem.

-Corey

Collapse -
Or should I...
by reedhave / January 23, 2006 7:44 AM PST

..I talked with the person I got it from and they said that they send it to everyone on their list, and they don't think their comptuer has a problem. Should I jsut let it send it to everyone on my AIM buddy list? I really do not want to.

-Corey

Collapse -
PROGRESS UPDATE & HJT LOG
by reedhave / January 23, 2006 8:27 AM PST

Before my Previous post, I ran a few scans in
Safe mode. Ewido ran for 133 minutes and found nothing on my system

Ok, heres whats left to do:
1. Figure out Windows firewall problem
2. Figure out why an internet gateway is created that I cannot disable or delete
3. Figure out why evey time I plug in my network adater to get on the internet, the internet does not work on any of the other computers until I unplug and plug back in my router.

So, I have made much progress. It no longer sends itself though AIM. IE does not open by itself like it used to. The process are nto starting. Those are most of what I can think of that have been fixed.

Now, here to the fun part. Here is my Hijack This log. The links here are jsut ones that were in the log, not ones that I created:

Logfile of HijackThis v1.99.1
Scan saved at 7:07:50 PM, on 1/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\mstlsapi32.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Microsoft Office 97\Office\OSA.EXE
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\WinBar\WinBar.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Messenger\msmsgs.exe
L:\APPLICATIONS\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [type32] ''C:\Program Files\Microsoft IntelliType Pro\type32.exe''
O4 - HKLM\..\Run: [IntelliPoint] ''C:\Program Files\Microsoft IntelliPoint\point32.exe''
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] ''C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe'' -Embedding -boot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [gcasServ] ''C:\Program Files\Microsoft AntiSpyware\gcasServ.exe''
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] ''C:\Program Files\QuickTime\qttask.exe'' -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] ''C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe'' /startup
O4 - HKLM\..\Run: [TkBellExe] ''C:\Program Files\Common Files\Real\Update_OB\realsched.exe'' -osboot
O4 - HKLM\..\Run: [SpySweeper] ''C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe'' /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] ''C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE''
O4 - Startup: WinBar.lnk = C:\Program Files\WinBar\WinBar.exe
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office 97\Office\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://instantgreetings.aol.com/prod/install.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125692036994
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O20 - AppInit_DLLs: mad.dll,wbsys.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: mstlsapi32 - Unknown owner - C:\WINDOWS\mstlsapi32.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Office Server Extensions Notification Service (OWSTimer) - Unknown owner - C:\Program Files\Microsoft Office\Office\OWSTIMER.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Lottta stuff there.

Thanks for all your help :D.
-Corey

PS. Still consider if I should reinstall SP2 for the firewall issue and what do do about the internet gateway issue.

Collapse -
Corey.. before someone..
by Carol~ Forum moderator / January 23, 2006 8:41 AM PST
Collapse -
(NT) (NT) I wasn't planning on having anyone analyze it anyways
by reedhave / January 23, 2006 9:27 AM PST
Collapse -
(NT) (NT) Sorry.. thought that was why U posted the HJT log here
by Carol~ Forum moderator / January 23, 2006 1:04 PM PST
Collapse -
Please read this thread
by roddy32 / January 23, 2006 8:44 AM PST
Collapse -
(NT) (NT) OK..whats my next move?
by reedhave / January 23, 2006 9:33 AM PST
Collapse -
Ok. Your next move
by hpjohn11 / January 23, 2006 12:12 PM PST

Iwould suggest manually deleting the *****1 and 32 files. Also go to windows 32 and see if their is a stange exe program and delete it.

Collapse -
For a Quick Scan, You Can Copy & Paste Your HJT to This...
by tobeach / January 23, 2006 2:10 PM PST

auto scan page.
http://www.hijackthis.de/index.php


It tends to consider "Unknown Processes" as a threat. Always wants to get rid of Active-X 's (which can be a major threat especially if linking to untrustworthy sites or ready to import anything it comes across.
I still consider your AIM (toolbar) as major problem, especially if you don't have and update AIM Fix (almost daily). Try entering in Search above for a link to its home for downloading.
The scan will probably tell you where your Browser Hijack is.
You could re-install SP2 but this might pose less difficulties for you since you don't need techie skills:

Disk/repair (Check Disk) (like SFC)
Left click on My Computer(open)
Right click on "C" or your OS drive if another letter.
Left click Properties and then click Tools Tab.
Left click on "Error Checking"> Check Now.
Left click to enter check mark in BOTH boxes offered.
Left click on "Start".
Computer will have to reboot to begin repairs.
Just leave alone (you're locked out anyway) 'til process finished.
In regular mode will take about 1 Hour (more/less)
In Safe Mode about 2 hours.
If computer normal after process complete you might want to create a new
restore point and Label it POST ERROR REPAIR.
Hope this gets it for you. This is based on using an onboard copy of sys
files if copy is ok.
If copy is corrupted, it may tell you to insert XP or SP2(if patch applied) disk to get new,
clean copy inserted. Good to have disk at hand. Good Luck!! Happy

Collapse -
I did and error check..
by reedhave / January 24, 2006 9:40 AM PST

...and I dont think it found anyhting but I am not sure. This is because I did somethign else adn came back and it was a booted up normal.

Still have the same problems, Firewall and Internet Gateway....

-Corey

Collapse -
For the Firewall, Try This... Go To Start> Run> Type In...
by tobeach / January 24, 2006 2:32 PM PST

Box there msconfig & click OK. On General Tab facing you see if bullet in ''Normal Start-up''. If not & you don't know why then change to that by ticking so bullet there.
On Services tab there: At bottom click ''enable all''.
There several items in Services Tab (example: encrypt)not obviously connected to firewall) that have to be running for firewall to work.
On start-up tab check to see if AIM is a separate item box from AOL. If so, UN-check it. Start up Tab is mostly 3rd party items (Anti-Virus, Media players,etc.) Uncheck anything you don't recognize or know for fact is safe. NAV is safe !!
Question: Are we talking about Nortons firewall or ??
Re-start computer and see if firewall enabled. If you can access your Security Center in Control panel, L. click on Windows Firewall check under firewall rules (Exceptions) if anything has permission to call in/out that shouldn't (Nig**32. exe?). Remove permissions by unchecking anything you didn't put in there. If AIM has box, uncheck. If only AOL general box, can you get on net without it? If so uncheck as a test .You can recheck later if found safe.
Having little idea about network connections in general and yours in particular, I can't make any suggestion other than to see if you can now delete that extra gateway. Good Luck! Happy

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

HOLIDAY GIFT GUIDE 2017

Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.