Help please

thsmug13

I ran ad aware and spybot and I got this log from HJT. How do I delete files if my system will not allow me to open in safe mode?

Logfile of HijackThis v1.99.0
Scan saved at 9:14:33 AM, on 2/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\ISS Trace\Bin\ISSTraceMonitorHost.exe
C:\Program Files\ISS Trace\Bin\ISSRetailTraceServer.exe
C:\Program Files\ISS Trace\Bin\ISSTraceFileMaintenance.exe
C:\Program Files\ISS Messaging\Bin\ISS.Messaging.Shell.NTService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ISS\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ISS\Binn\sqlagent.EXE
C:\Program Files\ISS\bin\system\service_start.exe
C:\Program Files\ISS\Bin\System\ISSTraceServer.exe
C:\Program Files\ISS\Bin\System\CheckPrimaryStatus.exe
C:\Program Files\ISS\Bin\System\IShipListener.exe
C:\Program Files\ISS\Bin\System\CreditService.exe
C:\Program Files\ISS\Bin\System\MessageListener.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MBE\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MBE\Binn\sqlagent.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\system32\ipgq.exe
c:\program files\iss\bin\app\ISSHealthCheck.exe
C:\Program Files\Mail Boxes Etc\CMSServices\CMSServices.exe
C:\Program Files\ISS\Bin\App\Watcher.exe
C:\Program Files\ISS\Bin\App\ISSNavigator.exe
C:\PROGRAM FILES\ISS\BIN\APP\TASKLISTENER.EXE
C:\Program Files\ISS\POS\ISSPOS.exe
C:\WINDOWS\wingj32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dtttx.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dtttx.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dtttx.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dtttx.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dtttx.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dtttx.dll/sp.html#27130
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dtttx.dll/sp.html#27130
R3 - Default URLSearchHook is missing
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {7FF53652-4DA9-7C18-869B-8B90C486CE63} - C:\WINDOWS\system32\winze32.dll
O2 - BHO: (no name) - {A21E60F2-0648-C70B-6954-C8674404125D} - C:\WINDOWS\system32\winze32.dll
O2 - BHO: (no name) - {C735153A-68D1-A733-70E3-4788A0DFAFED} - C:\WINDOWS\system32\winze32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [POSStartUp] C:\Program Files\ISS\Bin\App\Logon.exe /L
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitence32.exe
O4 - HKLM\..\Run: [66.tmp] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\66.tmp.exe 1 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [ipgq.exe] C:\WINDOWS\system32\ipgq.exe
O4 - HKLM\..\RunOnce: [wingj32.exe] C:\WINDOWS\wingj32.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {4392B188-CBA7-4CA8-A24F-31B378B3F4B5} (MSI.AXM) - https://mbe.iship.com/pss005/bin/msi_axm.cab
O16 - DPF: {48032833-56FF-4D44-ACB4-1BBAC4A3D942} (MSI.Printer) - https://mbe.iship.com/pss005/bin/msi_printer.cab
O16 - DPF: {51A4A871-14C1-40F1-8E24-8CA7CF6D620B} (MSI.Scale) - https://mbe.iship.com/pss005/bin/msi_scales.cab
O16 - DPF: {5B37ABB0-9FC0-4FA1-B2F9-95CC9A088D3C} (MSI.Ports) - https://mbe.iship.com/pss005/bin/msi_portenum.cab
O16 - DPF: {5C8F2A10-0C1B-4499-870E-6C0573AFF7BF} (MSI.csz_TDatabase ) - https://mbe.iship.com/pss005/bin/msi_cszapi.cab
O16 - DPF: {5CD04B10-040B-4929-9195-066894576CA9} (MSI.Registry) - https://mbe.iship.com/pss005/bin/msi_registry.cab
O16 - DPF: {66407C2E-2514-11D3-82F4-00A0C9D57E74} (MSI.cms_CSZ) - https://mbe.iship.com/pss005/bin/cms_csz.cab
O16 - DPF: {7EB52C24-2ED3-47DA-8845-3673931B22F9} (MSI_LabelManager Object) - https://mbe.iship.com/pss005/bin/msi_label.cab
O16 - DPF: {A12552C3-8947-11D1-9D49-00A02475D4E0} (MSI.sss_ShippingStationServices) - https://mbe.iship.com/pss005/bin/msi_shippingstation.cab
O16 - DPF: {B1234A37-C3D2-4EA1-BC14-054BC2F22807} (MSI.ClientPOS) - https://mbe.iship.com/pss005/bin/msi_posclient.cab
O16 - DPF: {BB7FDAE3-7188-45EC-84AD-E85777F96E2A} (MSI.ofl_TRatingX ) - https://mbe.iship.com/pss005/bin/msi_ratingx.cab
O16 - DPF: {F6F81E1B-2A96-491A-AEFA-6D7A0BA1CB38} (MSI.ClientScriptTools) - https://mbe.iship.com/pss005/bin/msi_cst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{75FB3B8E-F9A3-4232-A05F-2AB74C12E294}: NameServer = 206.13.30.12,206.13.29.12
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSLoader - Unknown - C:\Program Files\ISS\bin\system\service_start.exe
O23 - Service: ISS Messaging Service - ISS Retail, Inc. - C:\Program Files\ISS Messaging\Bin\ISS.Messaging.Shell.NTService.exe
O23 - Service: ISSStartServices - Unknown - C:\Program Files\ISS\bin\system\StartServices.exe
O23 - Service: ISS Retail Trace Server - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSRetailTraceServer.exe
O23 - Service: ISS Trace File Maintenance - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSTraceFileMaintenance.exe
O23 - Service: ISS Trace Monitor Host - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSTraceMonitorHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Retrospect Launcher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TSG Printer Tools - Mail Boxes Etc. - c:\program files\ups\tsg printer tools\tsg.tools.printers.service.exe
O23 - Service: ZServices v1.0.90 - Mail Boxes Etc./Technology - C:\Program Files\Mail Boxes Etc\Z Services 1.0\ZServices.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\ntsj.exe (file missing)

thsmug13

Are you guys out of England or Europe. It is 1:57pm here in California. If you don't get a chance to check out my thread before 6:00pm my time, don't bother. the computer automatically restarts and I will post a new log on Friday. Thanks again for your time and help. This site is amazing!!

Buckeye_Sam

Let's talk about Safe Mode before I put together a fix for your problem. Are you not able to boot into Safe Mode at all?

This link has instructions.

http://www.bleepingcomputer.com/forums/tutorial61.html

thsmug13

Using ms config I should be good.. I just couldn't hard boot into safe mode..it kept jumping to normal mode automatically even after hiting F8 and choosing safe mode

Buckeye_Sam

Please download CWShredder but don't run it yet.
http://cwshredder.net/bin/CWSInstall.exe


Download Ad-aware SE from: http://www.majorgeeks.com/download506.html

Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.


Make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dtttx.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dtttx.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dtttx.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dtttx.dll/sp.html#27130
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dtttx.dll/sp.html#27130
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dtttx.dll/sp.html#27130
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dtttx.dll/sp.html#27130
R3 - Default URLSearchHook is missing
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {7FF53652-4DA9-7C18-869B-8B90C486CE63} - C:\WINDOWS\system32\winze32.dll
O2 - BHO: (no name) - {A21E60F2-0648-C70B-6954-C8674404125D} - C:\WINDOWS\system32\winze32.dll
O2 - BHO: (no name) - {C735153A-68D1-A733-70E3-4788A0DFAFED} - C:\WINDOWS\system32\winze32.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitence32.exe
O4 - HKLM\..\Run: [66.tmp] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\66.tmp.exe 1 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [ipgq.exe] C:\WINDOWS\system32\ipgq.exe
O4 - HKLM\..\RunOnce: [wingj32.exe] C:\WINDOWS\wingj32.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\ntsj.exe (file missing)


Reboot your computer into Safe Mode


Now run CWShredder, making sure to click "Fix".


Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\isrvs <-- this folder
C:\windows\system32\elitence32.exe
C:\WINDOWS\System32\tibs5.exe
C:\WINDOWS\system32\ipgq.exe
C:\WINDOWS\wingj32.exe
C:\WINDOWS\ntsj.exe
C:\WINDOWS\system32\winze32.dll
C:\WINDOWS\system32\dtttx.dll


Delete temp files

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin.



Run a full scan with Adaware.

Reboot your computer to go back to normal mode and post a new log.

thsmug13

here is my new log after doing what you told me.
It appears to be gone except the O15's

Logfile of HijackThis v1.99.0
Scan saved at 3:34:38 PM, on 2/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
c:\program files\ups\tsg printer tools\tsg.tools.printers.service.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\ISS Trace\Bin\ISSTraceMonitorHost.exe
C:\Program Files\ISS Trace\Bin\ISSRetailTraceServer.exe
C:\Program Files\ISS Trace\Bin\ISSTraceFileMaintenance.exe
C:\Program Files\ISS Messaging\Bin\ISS.Messaging.Shell.NTService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ISS\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ISS\Binn\sqlagent.EXE
C:\Program Files\ISS\bin\system\service_start.exe
C:\Program Files\ISS\Bin\System\ISSTraceServer.exe
C:\Program Files\ISS\Bin\System\CheckPrimaryStatus.exe
C:\Program Files\ISS\Bin\System\IShipListener.exe
C:\Program Files\ISS\Bin\System\CreditService.exe
C:\Program Files\ISS\Bin\System\MessageListener.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MBE\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MBE\Binn\sqlagent.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\isrvs\desktop.exe
c:\program files\iss\bin\app\ISSHealthCheck.exe
C:\Program Files\Mail Boxes Etc\CMSServices\CMSServices.exe
C:\Program Files\ISS\Bin\App\Watcher.exe
C:\Program Files\ISS\Bin\App\ISSNavigator.exe
C:\PROGRAM FILES\ISS\BIN\APP\TASKLISTENER.EXE
C:\Program Files\ISS\POS\ISSPOS.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\My Documents\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theupsstore.com/
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [POSStartUp] C:\Program Files\ISS\Bin\App\Logon.exe /L
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitence32.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {4392B188-CBA7-4CA8-A24F-31B378B3F4B5} (MSI.AXM) - https://mbe.iship.com/pss005/bin/msi_axm.cab
O16 - DPF: {48032833-56FF-4D44-ACB4-1BBAC4A3D942} (MSI.Printer) - https://mbe.iship.com/pss005/bin/msi_printer.cab
O16 - DPF: {51A4A871-14C1-40F1-8E24-8CA7CF6D620B} (MSI.Scale) - https://mbe.iship.com/pss005/bin/msi_scales.cab
O16 - DPF: {5B37ABB0-9FC0-4FA1-B2F9-95CC9A088D3C} (MSI.Ports) - https://mbe.iship.com/pss005/bin/msi_portenum.cab
O16 - DPF: {5C8F2A10-0C1B-4499-870E-6C0573AFF7BF} (MSI.csz_TDatabase ) - https://mbe.iship.com/pss005/bin/msi_cszapi.cab
O16 - DPF: {5CD04B10-040B-4929-9195-066894576CA9} (MSI.Registry) - https://mbe.iship.com/pss005/bin/msi_registry.cab
O16 - DPF: {66407C2E-2514-11D3-82F4-00A0C9D57E74} (MSI.cms_CSZ) - https://mbe.iship.com/pss005/bin/cms_csz.cab
O16 - DPF: {7EB52C24-2ED3-47DA-8845-3673931B22F9} (MSI_LabelManager Object) - https://mbe.iship.com/pss005/bin/msi_label.cab
O16 - DPF: {A12552C3-8947-11D1-9D49-00A02475D4E0} (MSI.sss_ShippingStationServices) - https://mbe.iship.com/pss005/bin/msi_shippingstation.cab
O16 - DPF: {B1234A37-C3D2-4EA1-BC14-054BC2F22807} (MSI.ClientPOS) - https://mbe.iship.com/pss005/bin/msi_posclient.cab
O16 - DPF: {BB7FDAE3-7188-45EC-84AD-E85777F96E2A} (MSI.ofl_TRatingX ) - https://mbe.iship.com/pss005/bin/msi_ratingx.cab
O16 - DPF: {F6F81E1B-2A96-491A-AEFA-6D7A0BA1CB38} (MSI.ClientScriptTools) - https://mbe.iship.com/pss005/bin/msi_cst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{75FB3B8E-F9A3-4232-A05F-2AB74C12E294}: NameServer = 206.13.30.12,206.13.29.12
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSLoader - Unknown - C:\Program Files\ISS\bin\system\service_start.exe
O23 - Service: ISS Messaging Service - ISS Retail, Inc. - C:\Program Files\ISS Messaging\Bin\ISS.Messaging.Shell.NTService.exe
O23 - Service: ISSStartServices - Unknown - C:\Program Files\ISS\bin\system\StartServices.exe
O23 - Service: ISS Retail Trace Server - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSRetailTraceServer.exe
O23 - Service: ISS Trace File Maintenance - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSTraceFileMaintenance.exe
O23 - Service: ISS Trace Monitor Host - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSTraceMonitorHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Retrospect Launcher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TSG Printer Tools - Mail Boxes Etc. - c:\program files\ups\tsg printer tools\tsg.tools.printers.service.exe
O23 - Service: ZServices v1.0.90 - Mail Boxes Etc./Technology - C:\Program Files\Mail Boxes Etc\Z Services 1.0\ZServices.exe

Buckeye_Sam

Not quite everything is gone yet.


Download(right click and select Save file as or Save link as): DelDomains.inf
http://mvps.org/winhelp2002/DelDomains.inf

To use: Close all open browsers
Right-click DelDomains.inf and select: Install

This should remove those 015 entries.



Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows




Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitence32.exe





Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist):

C:\windows\system32\elitence32.exe
C:\WINDOWS\isrvs <-- let me know if this folder still exists as you should have removed in the last step.




Reboot your computer to go back to normal mode.



Please run these two online scans.
Make sure they are set to clean automatically:

http://housecall.trendmicro.com/

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

If there are files that can not be removed by the scans please include that information in your next post.



Reboot and post a new hijackthis log.

thsmug13

I had a problem with the panda scan. Here is the new log

Logfile of HijackThis v1.99.0
Scan saved at 10:41:59 AM, on 2/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\isrvs\desktop.exe
C:\Program Files\ISS\bin\system\StartServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
c:\program files\ups\tsg printer tools\tsg.tools.printers.service.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\ISS Trace\Bin\ISSTraceMonitorHost.exe
C:\Program Files\ISS Trace\Bin\ISSRetailTraceServer.exe
C:\Program Files\ISS Trace\Bin\ISSTraceFileMaintenance.exe
C:\Program Files\ISS Messaging\Bin\ISS.Messaging.Shell.NTService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ISS\Binn\sqlservr.exe
C:\Documents and Settings\Administrator\My Documents\hijack this\HijackThis.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ISS\Binn\sqlagent.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theupsstore.com/
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [POSStartUp] C:\Program Files\ISS\Bin\App\Logon.exe /L
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4392B188-CBA7-4CA8-A24F-31B378B3F4B5} (MSI.AXM) - https://mbe.iship.com/pss005/bin/msi_axm.cab
O16 - DPF: {48032833-56FF-4D44-ACB4-1BBAC4A3D942} (MSI.Printer) - https://mbe.iship.com/pss005/bin/msi_printer.cab
O16 - DPF: {51A4A871-14C1-40F1-8E24-8CA7CF6D620B} (MSI.Scale) - https://mbe.iship.com/pss005/bin/msi_scales.cab
O16 - DPF: {5B37ABB0-9FC0-4FA1-B2F9-95CC9A088D3C} (MSI.Ports) - https://mbe.iship.com/pss005/bin/msi_portenum.cab
O16 - DPF: {5C8F2A10-0C1B-4499-870E-6C0573AFF7BF} (MSI.csz_TDatabase ) - https://mbe.iship.com/pss005/bin/msi_cszapi.cab
O16 - DPF: {5CD04B10-040B-4929-9195-066894576CA9} (MSI.Registry) - https://mbe.iship.com/pss005/bin/msi_registry.cab
O16 - DPF: {66407C2E-2514-11D3-82F4-00A0C9D57E74} (MSI.cms_CSZ) - https://mbe.iship.com/pss005/bin/cms_csz.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7EB52C24-2ED3-47DA-8845-3673931B22F9} (MSI_LabelManager Object) - https://mbe.iship.com/pss005/bin/msi_label.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.webcensus.net/dl/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A12552C3-8947-11D1-9D49-00A02475D4E0} (MSI.sss_ShippingStationServices) - https://mbe.iship.com/pss005/bin/msi_shippingstation.cab
O16 - DPF: {B1234A37-C3D2-4EA1-BC14-054BC2F22807} (MSI.ClientPOS) - https://mbe.iship.com/pss005/bin/msi_posclient.cab
O16 - DPF: {BB7FDAE3-7188-45EC-84AD-E85777F96E2A} (MSI.ofl_TRatingX ) - https://mbe.iship.com/pss005/bin/msi_ratingx.cab
O16 - DPF: {F6F81E1B-2A96-491A-AEFA-6D7A0BA1CB38} (MSI.ClientScriptTools) - https://mbe.iship.com/pss005/bin/msi_cst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{75FB3B8E-F9A3-4232-A05F-2AB74C12E294}: NameServer = 206.13.30.12,206.13.29.12
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSLoader - Unknown - C:\Program Files\ISS\bin\system\service_start.exe
O23 - Service: ISS Messaging Service - ISS Retail, Inc. - C:\Program Files\ISS Messaging\Bin\ISS.Messaging.Shell.NTService.exe
O23 - Service: ISSStartServices - Unknown - C:\Program Files\ISS\bin\system\StartServices.exe
O23 - Service: ISS Retail Trace Server - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSRetailTraceServer.exe
O23 - Service: ISS Trace File Maintenance - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSTraceFileMaintenance.exe
O23 - Service: ISS Trace Monitor Host - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSTraceMonitorHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Retrospect Launcher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TSG Printer Tools - Mail Boxes Etc. - c:\program files\ups\tsg printer tools\tsg.tools.printers.service.exe
O23 - Service: ZServices v1.0.90 - Mail Boxes Etc./Technology - C:\Program Files\Mail Boxes Etc\Z Services 1.0\ZServices.exe

Buckeye_Sam

Open Notepad, copy and paste the text below and "Save As" removit.reg
In the "Save as type" select: All Files and save it to your desktop.

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_CLASSES_ROOT\CLSID\{950238fb-c706-4791-8674-4d429f85897e}]

[-HKEY_CLASSES_ROOT\mfiltis]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\desktop search]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ffis]

[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\legacy_delprot]

[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\delprot]

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe



Close HijackThis and open Task Manager (Ctrl-Alt-Del)
Highlight each of the following and select: End Task

desktop.exe
ffisearch.exe
elitefeu32.exe

Then reboot, on restart, restart in Safe Mode

Start | Run (type and click Ok for each of the following: (if exists)

regsvr32 /u C:\WINDOWS\isrvs\sysupd.dll
regsvr32 /u C:\WINDOWS\isrvs\mfiltis.dll
regsvr32 /u C:\WINDOWS\isrvs\msdbhk.dll

Next:

Locate removit.reg right-click and select: Merge (Ok the prompt)

Start | Run (type) "%temp%" (no quotes) [required step]
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer to your Windows\Temp folder [required step]
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following: (if exists)

C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\isrvs\ffisearch.exe
C:\WINDOWS\isrvs\sysupd.dll
C:\WINDOWS\isrvs\mfiltis.dll
C:\WINDOWS\isrvs\msdbhk.dll
C:\WINDOWS\delprot.sys
C:\WINDOWS\delprot.ini
C:\WINDOWS\delprot.log
C:\WINDOWS\isrvs <--this folder

After the above, reboot, rescan with HijackThis and post a fresh log ...

thsmug13

I was unable to delete (got the write protected error message on each one)
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\isrvs\ffisearch.exe
C:\WINDOWS\isrvs\sysupd.dll
C:\WINDOWS\isrvs\mfiltis.dll
C:\WINDOWS\isrvs\msdbhk.dll
C:\WINDOWS\isrvs (folder)

Also..
regsvr32 /u C:\WINDOWS\isrvs\msdbhk.dll

Didn't work.

Logfile of HijackThis v1.99.0
Scan saved at 2:28:19 PM, on 2/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\ISS Trace\Bin\ISSTraceMonitorHost.exe
C:\Program Files\ISS Trace\Bin\ISSRetailTraceServer.exe
C:\Program Files\ISS Trace\Bin\ISSTraceFileMaintenance.exe
C:\Program Files\ISS Messaging\Bin\ISS.Messaging.Shell.NTService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ISS\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ISS\Binn\sqlagent.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\isrvs\desktop.exe
C:\Program Files\ISS\bin\system\service_start.exe
C:\Program Files\ISS\Bin\System\ISSTraceServer.exe
C:\Program Files\ISS\Bin\System\CheckPrimaryStatus.exe
C:\Program Files\ISS\Bin\System\IShipListener.exe
C:\Program Files\ISS\Bin\System\CreditService.exe
C:\Program Files\ISS\Bin\System\MessageListener.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
c:\program files\iss\bin\app\ISSHealthCheck.exe
C:\Program Files\Mail Boxes Etc\CMSServices\CMSServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MBE\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MBE\Binn\sqlagent.EXE
C:\Program Files\ISS\Bin\App\Watcher.exe
C:\Program Files\ISS\Bin\App\ISSNavigator.exe
C:\PROGRAM FILES\ISS\BIN\APP\TASKLISTENER.EXE
C:\Program Files\ISS\POS\ISSPOS.exe
C:\Documents and Settings\Administrator\My Documents\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theupsstore.com/
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [POSStartUp] C:\Program Files\ISS\Bin\App\Logon.exe /L
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4392B188-CBA7-4CA8-A24F-31B378B3F4B5} (MSI.AXM) - https://mbe.iship.com/pss005/bin/msi_axm.cab
O16 - DPF: {48032833-56FF-4D44-ACB4-1BBAC4A3D942} (MSI.Printer) - https://mbe.iship.com/pss005/bin/msi_printer.cab
O16 - DPF: {51A4A871-14C1-40F1-8E24-8CA7CF6D620B} (MSI.Scale) - https://mbe.iship.com/pss005/bin/msi_scales.cab
O16 - DPF: {5B37ABB0-9FC0-4FA1-B2F9-95CC9A088D3C} (MSI.Ports) - https://mbe.iship.com/pss005/bin/msi_portenum.cab
O16 - DPF: {5C8F2A10-0C1B-4499-870E-6C0573AFF7BF} (MSI.csz_TDatabase ) - https://mbe.iship.com/pss005/bin/msi_cszapi.cab
O16 - DPF: {5CD04B10-040B-4929-9195-066894576CA9} (MSI.Registry) - https://mbe.iship.com/pss005/bin/msi_registry.cab
O16 - DPF: {66407C2E-2514-11D3-82F4-00A0C9D57E74} (MSI.cms_CSZ) - https://mbe.iship.com/pss005/bin/cms_csz.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7EB52C24-2ED3-47DA-8845-3673931B22F9} (MSI_LabelManager Object) - https://mbe.iship.com/pss005/bin/msi_label.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.webcensus.net/dl/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A12552C3-8947-11D1-9D49-00A02475D4E0} (MSI.sss_ShippingStationServices) - https://mbe.iship.com/pss005/bin/msi_shippingstation.cab
O16 - DPF: {B1234A37-C3D2-4EA1-BC14-054BC2F22807} (MSI.ClientPOS) - https://mbe.iship.com/pss005/bin/msi_posclient.cab
O16 - DPF: {BB7FDAE3-7188-45EC-84AD-E85777F96E2A} (MSI.ofl_TRatingX ) - https://mbe.iship.com/pss005/bin/msi_ratingx.cab
O16 - DPF: {F6F81E1B-2A96-491A-AEFA-6D7A0BA1CB38} (MSI.ClientScriptTools) - https://mbe.iship.com/pss005/bin/msi_cst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{75FB3B8E-F9A3-4232-A05F-2AB74C12E294}: NameServer = 206.13.30.12,206.13.29.12
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSLoader - Unknown - C:\Program Files\ISS\bin\system\service_start.exe
O23 - Service: ISS Messaging Service - ISS Retail, Inc. - C:\Program Files\ISS Messaging\Bin\ISS.Messaging.Shell.NTService.exe
O23 - Service: ISSStartServices - Unknown - C:\Program Files\ISS\bin\system\StartServices.exe
O23 - Service: ISS Retail Trace Server - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSRetailTraceServer.exe
O23 - Service: ISS Trace File Maintenance - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSTraceFileMaintenance.exe
O23 - Service: ISS Trace Monitor Host - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSTraceMonitorHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Retrospect Launcher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TSG Printer Tools - Mail Boxes Etc. - c:\program files\ups\tsg printer tools\tsg.tools.printers.service.exe
O23 - Service: ZServices v1.0.90 - Mail Boxes Etc./Technology - C:\Program Files\Mail Boxes Etc\Z Services 1.0\ZServices.exe

Buckeye_Sam

Run through the entire fix again, but this time when you get the write protected message do this with each of those files.

Right click on the file.
Select Properties.
Uncheck the box marked Read-only
Click OK.

Now you should be able to delete the files.


Let me know how it goes.

thsmug13

Same result, the read only box was already unchecked for the desktop search file. I unchecked it on the isrvs file and tried to delete but I got the same access denied problem when it came to desktop search.

Logfile of HijackThis v1.99.0
Scan saved at 3:17:10 PM, on 2/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\bin\system\StartServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
c:\program files\ups\tsg printer tools\tsg.tools.printers.service.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ISS Trace\Bin\ISSTraceMonitorHost.exe
C:\WINDOWS\isrvs\desktop.exe
C:\Program Files\ISS Trace\Bin\ISSRetailTraceServer.exe
C:\Program Files\ISS Trace\Bin\ISSTraceFileMaintenance.exe
C:\Program Files\ISS Messaging\Bin\ISS.Messaging.Shell.NTService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ISS\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ISS\Binn\sqlagent.EXE
C:\Program Files\ISS\bin\system\service_start.exe
C:\Program Files\ISS\Bin\System\ISSTraceServer.exe
C:\Program Files\ISS\Bin\System\CheckPrimaryStatus.exe
C:\Program Files\ISS\Bin\System\IShipListener.exe
C:\Program Files\ISS\Bin\System\CreditService.exe
C:\Program Files\ISS\Bin\System\MessageListener.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Documents and Settings\Administrator\My Documents\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theupsstore.com/
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [POSStartUp] C:\Program Files\ISS\Bin\App\Logon.exe /L
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4392B188-CBA7-4CA8-A24F-31B378B3F4B5} (MSI.AXM) - https://mbe.iship.com/pss005/bin/msi_axm.cab
O16 - DPF: {48032833-56FF-4D44-ACB4-1BBAC4A3D942} (MSI.Printer) - https://mbe.iship.com/pss005/bin/msi_printer.cab
O16 - DPF: {51A4A871-14C1-40F1-8E24-8CA7CF6D620B} (MSI.Scale) - https://mbe.iship.com/pss005/bin/msi_scales.cab
O16 - DPF: {5B37ABB0-9FC0-4FA1-B2F9-95CC9A088D3C} (MSI.Ports) - https://mbe.iship.com/pss005/bin/msi_portenum.cab
O16 - DPF: {5C8F2A10-0C1B-4499-870E-6C0573AFF7BF} (MSI.csz_TDatabase ) - https://mbe.iship.com/pss005/bin/msi_cszapi.cab
O16 - DPF: {5CD04B10-040B-4929-9195-066894576CA9} (MSI.Registry) - https://mbe.iship.com/pss005/bin/msi_registry.cab
O16 - DPF: {66407C2E-2514-11D3-82F4-00A0C9D57E74} (MSI.cms_CSZ) - https://mbe.iship.com/pss005/bin/cms_csz.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7EB52C24-2ED3-47DA-8845-3673931B22F9} (MSI_LabelManager Object) - https://mbe.iship.com/pss005/bin/msi_label.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.webcensus.net/dl/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A12552C3-8947-11D1-9D49-00A02475D4E0} (MSI.sss_ShippingStationServices) - https://mbe.iship.com/pss005/bin/msi_shippingstation.cab
O16 - DPF: {B1234A37-C3D2-4EA1-BC14-054BC2F22807} (MSI.ClientPOS) - https://mbe.iship.com/pss005/bin/msi_posclient.cab
O16 - DPF: {BB7FDAE3-7188-45EC-84AD-E85777F96E2A} (MSI.ofl_TRatingX ) - https://mbe.iship.com/pss005/bin/msi_ratingx.cab
O16 - DPF: {F6F81E1B-2A96-491A-AEFA-6D7A0BA1CB38} (MSI.ClientScriptTools) - https://mbe.iship.com/pss005/bin/msi_cst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{75FB3B8E-F9A3-4232-A05F-2AB74C12E294}: NameServer = 206.13.30.12,206.13.29.12
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSLoader - Unknown - C:\Program Files\ISS\bin\system\service_start.exe
O23 - Service: ISS Messaging Service - ISS Retail, Inc. - C:\Program Files\ISS Messaging\Bin\ISS.Messaging.Shell.NTService.exe
O23 - Service: ISSStartServices - Unknown - C:\Program Files\ISS\bin\system\StartServices.exe
O23 - Service: ISS Retail Trace Server - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSRetailTraceServer.exe
O23 - Service: ISS Trace File Maintenance - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSTraceFileMaintenance.exe
O23 - Service: ISS Trace Monitor Host - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSTraceMonitorHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Retrospect Launcher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TSG Printer Tools - Mail Boxes Etc. - c:\program files\ups\tsg printer tools\tsg.tools.printers.service.exe
O23 - Service: ZServices v1.0.90 - Mail Boxes Etc./Technology - C:\Program Files\Mail Boxes Etc\Z Services 1.0\ZServices.exe

Buckeye_Sam

Let's try this another way.

Open Notepad, copy and paste the below, "Save As" removeit.reg

Remove the space in the middle of the word CurrentVersion, 5B4AB8E2, and 950238FB before saving it. It's a bug in the forum code that displays it incorrectly.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{950238FB-C706-4791-8674-4D429F85897E}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\desktop search]

Close all open programs and browsers, rescan with HijackThis
Place a check in each of the following then click "Fix checked".

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe


Reboot your computer into Safe Mode


With no other windows or programs open ...

Start | Run (type) cmd

Start | Run (type) taskmgr
Click the Processes tab and highlight Explorer.exe click "End Process"
Leave Task Manager open. Go back to the Command Prompt window.

(type) cd\windows (press Enter)
(type) del isrvs (press Enter)

Go back to Task Manager, click File, New Task (type) EXPLORER.EXE
Close Task Manager. Close the Command Prompt.

Locate removeit.reg, right-click and select: Merge (Ok the prompt)


After the above, reboot, rescan with HijackThis and post a fresh log ...

thsmug13

followed every step exact. here is the log
Desktop search is a nightmare!

Logfile of HijackThis v1.99.0
Scan saved at 4:17:49 PM, on 2/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\bin\system\StartServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
c:\program files\ups\tsg printer tools\tsg.tools.printers.service.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\ISS Trace\Bin\ISSTraceMonitorHost.exe
C:\Program Files\ISS Trace\Bin\ISSRetailTraceServer.exe
C:\Program Files\ISS Trace\Bin\ISSTraceFileMaintenance.exe
C:\Program Files\ISS Messaging\Bin\ISS.Messaging.Shell.NTService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\isrvs\desktop.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ISS\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ISS\Binn\sqlagent.EXE
C:\Program Files\ISS\bin\system\service_start.exe
C:\Program Files\ISS\Bin\System\ISSTraceServer.exe
C:\Program Files\ISS\Bin\System\CheckPrimaryStatus.exe
C:\Program Files\ISS\Bin\System\IShipListener.exe
C:\Program Files\ISS\Bin\System\CreditService.exe
C:\Program Files\ISS\Bin\System\MessageListener.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Documents and Settings\Administrator\My Documents\hijack this\HijackThis.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MBE\Binn\sqlservr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theupsstore.com/
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [POSStartUp] C:\Program Files\ISS\Bin\App\Logon.exe /L
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4392B188-CBA7-4CA8-A24F-31B378B3F4B5} (MSI.AXM) - https://mbe.iship.com/pss005/bin/msi_axm.cab
O16 - DPF: {48032833-56FF-4D44-ACB4-1BBAC4A3D942} (MSI.Printer) - https://mbe.iship.com/pss005/bin/msi_printer.cab
O16 - DPF: {51A4A871-14C1-40F1-8E24-8CA7CF6D620B} (MSI.Scale) - https://mbe.iship.com/pss005/bin/msi_scales.cab
O16 - DPF: {5B37ABB0-9FC0-4FA1-B2F9-95CC9A088D3C} (MSI.Ports) - https://mbe.iship.com/pss005/bin/msi_portenum.cab
O16 - DPF: {5C8F2A10-0C1B-4499-870E-6C0573AFF7BF} (MSI.csz_TDatabase ) - https://mbe.iship.com/pss005/bin/msi_cszapi.cab
O16 - DPF: {5CD04B10-040B-4929-9195-066894576CA9} (MSI.Registry) - https://mbe.iship.com/pss005/bin/msi_registry.cab
O16 - DPF: {66407C2E-2514-11D3-82F4-00A0C9D57E74} (MSI.cms_CSZ) - https://mbe.iship.com/pss005/bin/cms_csz.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7EB52C24-2ED3-47DA-8845-3673931B22F9} (MSI_LabelManager Object) - https://mbe.iship.com/pss005/bin/msi_label.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.webcensus.net/dl/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A12552C3-8947-11D1-9D49-00A02475D4E0} (MSI.sss_ShippingStationServices) - https://mbe.iship.com/pss005/bin/msi_shippingstation.cab
O16 - DPF: {B1234A37-C3D2-4EA1-BC14-054BC2F22807} (MSI.ClientPOS) - https://mbe.iship.com/pss005/bin/msi_posclient.cab
O16 - DPF: {BB7FDAE3-7188-45EC-84AD-E85777F96E2A} (MSI.ofl_TRatingX ) - https://mbe.iship.com/pss005/bin/msi_ratingx.cab
O16 - DPF: {F6F81E1B-2A96-491A-AEFA-6D7A0BA1CB38} (MSI.ClientScriptTools) - https://mbe.iship.com/pss005/bin/msi_cst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{75FB3B8E-F9A3-4232-A05F-2AB74C12E294}: NameServer = 206.13.30.12,206.13.29.12
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSLoader - Unknown - C:\Program Files\ISS\bin\system\service_start.exe
O23 - Service: ISS Messaging Service - ISS Retail, Inc. - C:\Program Files\ISS Messaging\Bin\ISS.Messaging.Shell.NTService.exe
O23 - Service: ISSStartServices - Unknown - C:\Program Files\ISS\bin\system\StartServices.exe
O23 - Service: ISS Retail Trace Server - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSRetailTraceServer.exe
O23 - Service: ISS Trace File Maintenance - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSTraceFileMaintenance.exe
O23 - Service: ISS Trace Monitor Host - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSTraceMonitorHost.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Retrospect Launcher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TSG Printer Tools - Mail Boxes Etc. - c:\program files\ups\tsg printer tools\tsg.tools.printers.service.exe
O23 - Service: ZServices v1.0.90 - Mail Boxes Etc./Technology - C:\Program Files\Mail Boxes Etc\Z Services 1.0\ZServices.exe

Buckeye_Sam

Yes it is a nightmare. It's part of a bigger issue, but you don't seem to have most of those symptoms so I was hoping that this would be easier.

Please download the trial version of Kapersky Antivirus 5.0 from one of these sites.

http://www.kaspersky.com/trials
(download version 5.0 personal)
or this one;
http://www.kaspersky.com/trials?chapter=146481750
(pick download site nearest to you and download)
or this;
ftp://downloads-us2l.kaspersky-labs...8017F63KM1T941/
(direct download link (U.S.A.), click on second link on page)


Follow the instructions on this page for set-up and posting a log after the scan.

http://www.bleepingcomputer.com/forums/topict11662.html


Let me know how it goes and post a new hijackthis log when you're done.

thsmug13

Ran Kaspersky, here is the new log

Logfile of HijackThis v1.99.0
Scan saved at 9:47:14 AM, on 2/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
c:\program files\ups\tsg printer tools\tsg.tools.printers.service.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\ISS Trace\Bin\ISSTraceMonitorHost.exe
C:\Program Files\ISS Trace\Bin\ISSTraceFileMaintenance.exe
C:\Program Files\ISS Trace\Bin\ISSRetailTraceServer.exe
C:\Program Files\ISS Messaging\Bin\ISS.Messaging.Shell.NTService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ISS\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ISS\Binn\sqlagent.EXE
C:\Program Files\ISS\bin\system\service_start.exe
C:\Program Files\ISS\Bin\System\ISSTraceServer.exe
C:\Program Files\ISS\Bin\System\CheckPrimaryStatus.exe
C:\Program Files\ISS\Bin\System\IShipListener.exe
C:\Program Files\ISS\Bin\System\CreditService.exe
C:\Program Files\ISS\Bin\System\MessageListener.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MBE\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MBE\Binn\sqlagent.EXE
C:\Documents and Settings\Administrator\My Documents\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theupsstore.com/
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [POSStartUp] C:\Program Files\ISS\Bin\App\Logon.exe /L
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4392B188-CBA7-4CA8-A24F-31B378B3F4B5} (MSI.AXM) - https://mbe.iship.com/pss005/bin/msi_axm.cab
O16 - DPF: {48032833-56FF-4D44-ACB4-1BBAC4A3D942} (MSI.Printer) - https://mbe.iship.com/pss005/bin/msi_printer.cab
O16 - DPF: {51A4A871-14C1-40F1-8E24-8CA7CF6D620B} (MSI.Scale) - https://mbe.iship.com/pss005/bin/msi_scales.cab
O16 - DPF: {5B37ABB0-9FC0-4FA1-B2F9-95CC9A088D3C} (MSI.Ports) - https://mbe.iship.com/pss005/bin/msi_portenum.cab
O16 - DPF: {5C8F2A10-0C1B-4499-870E-6C0573AFF7BF} (MSI.csz_TDatabase ) - https://mbe.iship.com/pss005/bin/msi_cszapi.cab
O16 - DPF: {5CD04B10-040B-4929-9195-066894576CA9} (MSI.Registry) - https://mbe.iship.com/pss005/bin/msi_registry.cab
O16 - DPF: {66407C2E-2514-11D3-82F4-00A0C9D57E74} (MSI.cms_CSZ) - https://mbe.iship.com/pss005/bin/cms_csz.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7EB52C24-2ED3-47DA-8845-3673931B22F9} (MSI_LabelManager Object) - https://mbe.iship.com/pss005/bin/msi_label.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.webcensus.net/dl/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A12552C3-8947-11D1-9D49-00A02475D4E0} (MSI.sss_ShippingStationServices) - https://mbe.iship.com/pss005/bin/msi_shippingstation.cab
O16 - DPF: {B1234A37-C3D2-4EA1-BC14-054BC2F22807} (MSI.ClientPOS) - https://mbe.iship.com/pss005/bin/msi_posclient.cab
O16 - DPF: {BB7FDAE3-7188-45EC-84AD-E85777F96E2A} (MSI.ofl_TRatingX ) - https://mbe.iship.com/pss005/bin/msi_ratingx.cab
O16 - DPF: {F6F81E1B-2A96-491A-AEFA-6D7A0BA1CB38} (MSI.ClientScriptTools) - https://mbe.iship.com/pss005/bin/msi_cst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{75FB3B8E-F9A3-4232-A05F-2AB74C12E294}: NameServer = 206.13.30.12,206.13.29.12
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSLoader - Unknown - C:\Program Files\ISS\bin\system\service_start.exe
O23 - Service: ISS Messaging Service - ISS Retail, Inc. - C:\Program Files\ISS Messaging\Bin\ISS.Messaging.Shell.NTService.exe
O23 - Service: ISSStartServices - Unknown - C:\Program Files\ISS\bin\system\StartServices.exe
O23 - Service: ISS Retail Trace Server - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSRetailTraceServer.exe
O23 - Service: ISS Trace File Maintenance - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSTraceFileMaintenance.exe
O23 - Service: ISS Trace Monitor Host - ISS Retail, Inc. - C:\Program Files\ISS Trace\Bin\ISSTraceMonitorHost.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Retrospect Launcher - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TSG Printer Tools - Mail Boxes Etc. - c:\program files\ups\tsg printer tools\tsg.tools.printers.service.exe
O23 - Service: ZServices v1.0.90 - Mail Boxes Etc./Technology - C:\Program Files\Mail Boxes Etc\Z Services 1.0\ZServices.exe

Buckeye_Sam

Your log is clean! Did Kapersky find anything? It was almost too easy....



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.
   
   You can find instructions on how to enable and reenable system restore here:
   
   Managing Windows Millenium System Restore
   
   or
   
   Windows XP System Restore Guide
   
   Renable system restore with instructions from tutorial above
   
   
2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
         
      2. Change the Download unsigned ActiveX controls to Disable
         
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
         
      4. Change the Installation of desktop items to Prompt
         
      5. Change the Launching programs and files in an IFRAME to Prompt
         
      6. Change the Navigate sub-frames across different domains to Prompt
         
      7. When all these settings have been made, click on the OK button.
         
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
   
   
3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   
4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   
   Understanding and Using Firewalls
   
   
6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
   
   A tutorial on installing & using this product can be found here:
   
   Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
   
   
8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
   
   A tutorial on installing & using this product can be found here:
   
   Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
   
   
9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
   
   A tutorial on installing & using this product can be found here:
   
   Using SpywareBlaster to protect your computer from Spyware and Malware
   
   
10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

thsmug13

Thank you so much for all your help! Should I delete Kaspersky since I already have Norton? Kaspersky found over 800 things.

Buckeye_Sam

I'm not a big Norton fan, but let me see if I get this right. Kapersky found over 800 things that Norton didn't.

If it was me I'd get rid of Norton and keep Kapersky.