Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 13 of 13 Posts

·
Registered
Joined
·
242 Posts
Discussion Starter · #1 ·
Hi I've discovered a folder called 7thlevel in my c:\program files folder, and have also seen files named like it in different places in my windows folder. what is this guy? It doesn't show up in my add remove programs list, is it a game and can i just delete the files? This would be tough as it seems there are a lot of them.
Thanks in advance.
 

·
Registered
Joined
·
242 Posts
Discussion Starter · #3 ·
Hi Gerry thanks for the reply.
I did a search right clicking/ properties on the files didn't tell me much.
Here is where I found them:
C:\Program files\7thlevel
C:\WINDOWS\SYSTEM32\7thLevel

I also discovered it in the registry as well:
HKEY_CURRENT_USER
SOFTWARE
MICROSOFT
Searchassistant
5603 Name 000 Type RG_SZ Data 7thlevel
5604 Name 000 Type RG_SZ Data 7thlevel
HKEY_LOCAL_MACHINE
SOFTWARE
7th Level Inc,
7th Level Media Player
Agent7
7thlevel
There are some others, but I think they're in a windows system restore area, and I won't bother you with them.

I visited the website you mentioned, it's more like an adware site as far as I could determine with no way to contact 7thlevel or find out more, as well as it's cheesy little pop up when you exit the website grrr.

Anyway thanks again Gerry, I'm hoping it's not some as yet undiscovered malicious spyware system of some sort hehe. And that I can just go ahead and delete the folders and the registry entries at some point when I get brave enough.
P.S. dont know if I entered this reply twice as when i went to send the first reply I was told I was logged in. Oh well,
 

·
Registered
Joined
·
46,353 Posts
I have moved this to the Security forum.

Please post the Hijack This log as requested.
 

·
Registered
Joined
·
242 Posts
Discussion Starter · #7 ·
Hey Gerry and all, did what you told me, and ran hijackthis. Here is what I got:
Logfile of HijackThis v1.99.0
Scan saved at 10:41:46 PM, on 1/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ProcessSuite\Common\NTServApp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\WinVNC\winvnc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\MiscPrograms\PRINTKEY\Printkey2000.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Winwall\Winwall.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iolo\Search and Recover\DiskImageService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\MiscPrograms\SpyWare\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://webmail.telusplanet.net/horde/imp/login.php?webmail=4cf9b3a37c3ced296c65500e11fbe146
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.telusplanet.net/horde/imp/login.php?webmail=4cf9b3a37c3ced296c65500e11fbe146
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://webmail.telusplanet.net/horde/imp/login.php?webmail=4cf9b3a37c3ced296c65500e11fbe146
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.telusplanet.net/horde/imp/login.php?webmail=4cf9b3a37c3ced296c65500e11fbe146
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Search and Recover Disk Image Service] C:\Program Files\iolo\Search and Recover\DiskImageService.exe
O4 - Startup: Printkey2000.exe.lnk = C:\MiscPrograms\PRINTKEY\Printkey2000.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Winwall Autostart.lnk = C:\Program Files\Winwall\Winwall.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.235N - http://205.177.13.50/Java/cfsn31235.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E966BD98-AAC4-4968-BECE-02CE7895A08C}: NameServer = 199.185.220.36 199.185.220.52
O23 - Service: APACS+ OPC Device Server - Siemens - C:\Program Files\ProcessSuite\OPCDeviceServer\APACSOPCDeviceServer.exe
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Adroit Eventlog - Unknown - C:\Adroit\ELService.exe (file missing)
O23 - Service: FS Service Control - Wonderware Corporation - C:\Program Files\ProcessSuite\Common\NTServApp.exe
O23 - Service: InSQL Control - Wonderware Corporation - C:\Program Files\ProcessSuite\Historian\Server\InSQLCntlSvc.exe
O23 - Service: InSQL DbServer - Wonderware Corp. - C:\Program Files\ProcessSuite\Historian\Server\PdsSrv.exe
O23 - Service: InSQL Event System - Wonderware Corp. - C:\Program Files\ProcessSuite\Historian\Server\eventsys.exe
O23 - Service: InSQL IODriver - Wonderware Corporation - C:\Program Files\ProcessSuite\Historian\Server\IODriver.exe
O23 - Service: M-BUS/M-NET Administration - Siemens Energy & Automation - C:\Program Files\ProcessSuite\MBUSDRVR\mcontrol.exe
O23 - Service: APACS+ NIM32 - Siemens Energy & Automation, Inc. - C:\Program Files\ProcessSuite\NIM\Nim32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Wonderware SuiteLink - Invensys Systems, Inc. - C:\Program Files\ProcessSuite\Common\slssvc.exe
O23 - Service: VNC Server - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\winvnc.exe
O23 - Service: Wonderware Logger - Wonderware Corporation - C:\Program Files\ProcessSuite\Common\wwlogsvc.exe
O23 - Service: Wonderware NetDDE Helper - Invensys Systems, Inc. - C:\Program Files\ProcessSuite\Common\wwnetdde.exe
O23 - Service: WwRpcSvr - Wonderware Corporation - C:\WINDOWS\System32\wwinstsvc.exe
 

·
Registered
Joined
·
46,353 Posts
I don't see anything in your log.

I don'r know of any security threats related to this, but if you want to remove it, delete the 7th level files and folders and delete those entries in the registry. You may have to delete the folder in safe mode.

How to start your computer in safe mode
 

·
Registered
Joined
·
242 Posts
Discussion Starter · #9 ·
Thanks a lot FLRMAN1, I will do that.
 

·
Registered
Joined
·
242 Posts
Discussion Starter · #11 ·
Hi guys, just thought I'd follow up to end this thread.
I finally got brave enough to delete all the registry entries, files and folders regarding 7thlevel with no ill effects to my pc. :up:

Again, many thanks for your guidance.
DF
 
1 - 13 of 13 Posts
Status
Not open for further replies.
Top