Landesher Posted November 10, 2005 Share Posted November 10, 2005 Logfile of HijackThis v1.99.1 Scan saved at 21:30:14, on 10.11.2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss[Caution: ExecutableFile] C:\WINDOWS\system32\winlogon[Caution: ExecutableFile] C:\WINDOWS\system32\services[Caution: ExecutableFile] C:\WINDOWS\system32\lsass[Caution: ExecutableFile] C:\WINDOWS\system32\svchost[Caution: ExecutableFile] C:\WINDOWS\System32\svchost[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile] C:\PROGRA~1\COMMON~1\Stardock\SDMCP[Caution: ExecutableFile] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload[Caution: ExecutableFile] C:\WINDOWS\Explorer[Caution: ExecutableFile] C:\Program Files\Java\jre1.5.0_04\bin\jusched[Caution: ExecutableFile] C:\WINDOWS\System32\RUNDLL32[Caution: ExecutableFile] C:\Program Files\D-Tools\daemon[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile] C:\Program Files\CursorXP\CursorXP[Caution: ExecutableFile] C:\spywarebegone\SpywareBeGone[Caution: ExecutableFile] C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile] C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile] C:\WINDOWS\System32\nvsvc32[Caution: ExecutableFile] C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile] C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr[Caution: ExecutableFile] C:\Program Files\Webroot\Spy Sweeper\SpySweeper[Caution: ExecutableFile] C:\Program Files\Webroot\Spy Sweeper\WRSSSDK[Caution: ExecutableFile] C:\Program Files\MSN Messenger\msnmsgr[Caution: ExecutableFile] C:\Program Files\Internet Explorer\iexplore[Caution: ExecutableFile] C:\Program Files\WinRAR\WinRAR[Caution: ExecutableFile] C:\DOCUME~1\Sander\LOCALS~1\Temp\Rar$EX00.062\HijackThis[Caution: ExecutableFile] O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck[Caution: ExecutableFile] O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched[Caution: ExecutableFile] O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz[Caution: ExecutableFile] /install O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05[Caution: ExecutableFile] O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a[Caution: ExecutableFile] O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon[Caution: ExecutableFile]" -lang 1033 O4 - HKLM\..\Run: [bootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin[Caution: ExecutableFile]" /StartupJobs O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio[Caution: ExecutableFile]" /RANDOM O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]" O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt[Caution: ExecutableFile] O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon[Caution: ExecutableFile] /Consumer O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper[Caution: ExecutableFile]" /startintray O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]" /background O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr[Caution: ExecutableFile]" /background O4 - HKCU\..\Run: [areslite] "C:\Documents and Settings\Sander\Desktop\ares\Ares Lite Edition\AresLite[Caution: ExecutableFile]" -h O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP[Caution: ExecutableFile]" -s O4 - HKCU\..\Run: [spyware Begone] "C:\spywarebegone\SpywareBeGone[Caution: ExecutableFile]" -FastScan O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire[Caution: ExecutableFile] O4 - Global Startup: Adobe Gamma Loader[Caution: ExecutableFile].lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader[Caution: ExecutableFile] O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader[Caution: ExecutableFile] O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA[Caution: ExecutableFile] O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL[Caution: ExecutableFile]/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120852228669 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F28B19E0-2F1A-4189-97C7-CF3FDED1F881}: NameServer = 194.126.115.18 194.126.101.34 O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc[Caution: ExecutableFile] O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile] O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile] O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile] O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32[Caution: ExecutableFile] O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan[Caution: ExecutableFile] O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ[Caution: ExecutableFile] O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile] O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile] O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService[Caution: ExecutableFile] O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK[Caution: ExecutableFile] O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile] O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr[Caution: ExecutableFile] Hi, a friend of mine is having trouble with spyware / viruses so i suggested him to download hijackthis & make a log. So this is the log. Help would be appreciated. Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 10, 2005 Share Posted November 10, 2005 ok i take a proper look at the log after a shower. poo! before you do any of that please can you move the HJT out of the temp (into c:/HJT for example). THis ensures back-ups are made should anything go wrong. had a quick scan and tell him to uninstall SpywareBeGone- it is a rogue and gives you spyware/ adware. Also known to produce lots of false possitives. after uninstalling it through add/ remove programs fix this line: O4 - HKCU\..\Run: [spyware Begone] "C:\spywarebegone\SpywareBeGone.e3e (CAUTION - executable file)" -FastScan get ad-aware and spybot instead. they are better and free. run a scan with those and post back a new log. Link to comment Share on other sites More sharing options...
Sharky009 Posted November 10, 2005 Share Posted November 10, 2005 Logfile of HijackThis v1.99.1 Scan saved at 22:23:47, on 10.11.2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss[Caution: ExecutableFile] C:\WINDOWS\system32\winlogon[Caution: ExecutableFile] C:\WINDOWS\system32\services[Caution: ExecutableFile] C:\WINDOWS\system32\lsass[Caution: ExecutableFile] C:\WINDOWS\system32\svchost[Caution: ExecutableFile] C:\WINDOWS\System32\svchost[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile] C:\PROGRA~1\COMMON~1\Stardock\SDMCP[Caution: ExecutableFile] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload[Caution: ExecutableFile] C:\WINDOWS\Explorer[Caution: ExecutableFile] C:\Program Files\Java\jre1.5.0_04\bin\jusched[Caution: ExecutableFile] C:\WINDOWS\System32\RUNDLL32[Caution: ExecutableFile] C:\Program Files\D-Tools\daemon[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile] C:\Program Files\CursorXP\CursorXP[Caution: ExecutableFile] C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile] C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile] C:\WINDOWS\System32\nvsvc32[Caution: ExecutableFile] C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile] C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr[Caution: ExecutableFile] C:\Program Files\Webroot\Spy Sweeper\SpySweeper[Caution: ExecutableFile] C:\Program Files\Webroot\Spy Sweeper\WRSSSDK[Caution: ExecutableFile] C:\Program Files\MSN Messenger\msnmsgr[Caution: ExecutableFile] C:\Program Files\Internet Explorer\IEXPLORE[Caution: ExecutableFile] C:\Documents and Settings\Sander\Desktop\Sander\Files\HijackThis[Caution: ExecutableFile] O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck[Caution: ExecutableFile] O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched[Caution: ExecutableFile] O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz[Caution: ExecutableFile] /install O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05[Caution: ExecutableFile] O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a[Caution: ExecutableFile] O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon[Caution: ExecutableFile]" -lang 1033 O4 - HKLM\..\Run: [bootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin[Caution: ExecutableFile]" /StartupJobs O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio[Caution: ExecutableFile]" /RANDOM O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]" O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt[Caution: ExecutableFile] O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon[Caution: ExecutableFile] /Consumer O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper[Caution: ExecutableFile]" /startintray O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]" /background O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr[Caution: ExecutableFile]" /background O4 - HKCU\..\Run: [areslite] "C:\Documents and Settings\Sander\Desktop\ares\Ares Lite Edition\AresLite[Caution: ExecutableFile]" -h O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP[Caution: ExecutableFile]" -s O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire[Caution: ExecutableFile] O4 - Global Startup: Adobe Gamma Loader[Caution: ExecutableFile].lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader[Caution: ExecutableFile] O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader[Caution: ExecutableFile] O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA[Caution: ExecutableFile] O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL[Caution: ExecutableFile]/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120852228669 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F28B19E0-2F1A-4189-97C7-CF3FDED1F881}: NameServer = 194.126.115.18 194.126.101.34 O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc[Caution: ExecutableFile] O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile] O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile] O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile] O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32[Caution: ExecutableFile] O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan[Caution: ExecutableFile] O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ[Caution: ExecutableFile] O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile] O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile] O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService[Caution: ExecutableFile] O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK[Caution: ExecutableFile] O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile] O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr[Caution: ExecutableFile] Hi. This is the guy who's having the problems. Link to comment Share on other sites More sharing options...
Sharky009 Posted November 10, 2005 Share Posted November 10, 2005 BTW! I scanned my computer with this Spybot... It didn't find anything.. Scanned with Norton Antivirus 2005.. Found many but managed to delete/fix only 13 out of 32. Scanned with Ad-Aware SE.. Found 46 critical objects. Deleted everything. Yesterday I scanned with many different spyware removal and virus protection programmes. My comp is full of viruses and spyware. I can't pick a wallpaper, everything is very slow (desktop, browser). Also scanned with the Spy Sweeper.. it found 36 objects. Removed them all.. I would really like to get rid of those viruses and spywares.. Help please. Sharky Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 10, 2005 Share Posted November 10, 2005 hi back using canned speech again: ...nvm now you tell me... thats why i don't like norton but thats another thing. well there is only a few things wrong with it (from what i can see anyway everyone else feel free to correct me) Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'C:\Program Files\Hijackthis' or C:\HiJackThis\. We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. Click here: http://www.microsoft.com/windowsxp/down ... fault.mspx fix these: O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0852228669 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll then repost a new HJT log and it should be clean. Link to comment Share on other sites More sharing options...
Sharky009 Posted November 12, 2005 Share Posted November 12, 2005 Couldn't install that service pack. I had an error when installing.. But I fixed the files that you told me to. So here's the new log. Logfile of HijackThis v1.99.1 Scan saved at 14:01:09, on 12.11.2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss[Caution: ExecutableFile] C:\WINDOWS\system32\winlogon[Caution: ExecutableFile] C:\WINDOWS\system32\services[Caution: ExecutableFile] C:\WINDOWS\system32\lsass[Caution: ExecutableFile] C:\WINDOWS\system32\svchost[Caution: ExecutableFile] C:\WINDOWS\System32\svchost[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile] C:\PROGRA~1\COMMON~1\Stardock\SDMCP[Caution: ExecutableFile] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload[Caution: ExecutableFile] C:\WINDOWS\Explorer[Caution: ExecutableFile] C:\Program Files\Java\jre1.5.0_04\bin\jusched[Caution: ExecutableFile] C:\WINDOWS\System32\RUNDLL32[Caution: ExecutableFile] C:\Program Files\D-Tools\daemon[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile] C:\Program Files\Webroot\Spy Sweeper\SpySweeper[Caution: ExecutableFile] C:\Program Files\CursorXP\CursorXP[Caution: ExecutableFile] C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile] C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile] C:\WINDOWS\System32\nvsvc32[Caution: ExecutableFile] C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService[Caution: ExecutableFile] C:\Program Files\Webroot\Spy Sweeper\WRSSSDK[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile] C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr[Caution: ExecutableFile] C:\Program Files\Internet Explorer\IEXPLORE[Caution: ExecutableFile] C:\Documents and Settings\Sander\Desktop\Sander\Files\HijackThis[Caution: ExecutableFile] O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck[Caution: ExecutableFile] O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched[Caution: ExecutableFile] O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz[Caution: ExecutableFile] /install O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05[Caution: ExecutableFile] O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a[Caution: ExecutableFile] O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon[Caution: ExecutableFile]" -lang 1033 O4 - HKLM\..\Run: [bootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin[Caution: ExecutableFile]" /StartupJobs O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio[Caution: ExecutableFile]" /RANDOM O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]" O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt[Caution: ExecutableFile] O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon[Caution: ExecutableFile] /Consumer O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper[Caution: ExecutableFile]" /startintray O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]" /background O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr[Caution: ExecutableFile]" /background O4 - HKCU\..\Run: [areslite] "C:\Documents and Settings\Sander\Desktop\ares\Ares Lite Edition\AresLite[Caution: ExecutableFile]" -h O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP[Caution: ExecutableFile]" -s O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire[Caution: ExecutableFile] O4 - Global Startup: Adobe Gamma Loader[Caution: ExecutableFile].lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader[Caution: ExecutableFile] O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader[Caution: ExecutableFile] O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA[Caution: ExecutableFile] O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL[Caution: ExecutableFile]/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F28B19E0-2F1A-4189-97C7-CF3FDED1F881}: NameServer = 194.126.115.18 194.126.101.34 O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc[Caution: ExecutableFile] O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile] O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile] O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile] O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32[Caution: ExecutableFile] O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan[Caution: ExecutableFile] O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ[Caution: ExecutableFile] O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile] O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile] O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService[Caution: ExecutableFile] O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK[Caution: ExecutableFile] O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile] O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr[Caution: ExecutableFile] Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 12, 2005 Share Posted November 12, 2005 logs looks ok - unless i missed any. Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply) +++++ If you are unable to run the activeX Antivirus Scanners, lets try this Java based solution from Trend Micro. see if they find any more and get rid of them. try running norton in safemode (f8 while booting up) and see what it finds. post it here with the path. Link to comment Share on other sites More sharing options...
Sharky009 Posted November 12, 2005 Share Posted November 12, 2005 Alright the Kaspersky scanning results.. Looks kinda bad I guess... ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Saturday, November 12, 2005 19:46:22 Operating System: Microsoft Windows XP Professional, (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 12/11/2005 Kaspersky Anti-Virus database records: 149733 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ G:\ Scan Statistics: Total number of scanned objects: 86541 Number of viruses found: 5 Number of infected objects: 8 Number of suspicious objects: 0 Duration of the scan process: 10842 sec Infected Object Name - Virus Name C:\loader[Caution: ExecutableFile] Infected: Trojan-Downloader.Win32.Agent.xq C:\System Volume Information\_restore{CAEECEE7-8A3A-4E01-B2C6-C08321BC59B7}\RP112\A0031031[Caution: ExecutableFile] Infected: Trojan.Win32.Small.cy C:\System Volume Information\_restore{CAEECEE7-8A3A-4E01-B2C6-C08321BC59B7}\RP113\A0031189[Caution: ExecutableFile] Infected: Trojan.Win32.Small.cy C:\System Volume Information\_restore{CAEECEE7-8A3A-4E01-B2C6-C08321BC59B7}\RP113\A0032217[Caution: ExecutableFile] Infected: Backdoor.Win32.Agent.pn C:\System Volume Information\_restore{CAEECEE7-8A3A-4E01-B2C6-C08321BC59B7}\RP113\A0032222[Caution: ExecutableFile] Infected: Trojan-Downloader.Win32.Agent.xq C:\System Volume Information\_restore{CAEECEE7-8A3A-4E01-B2C6-C08321BC59B7}\RP86\A0025223.dll Infected: Trojan-Downloader.Win32.IstBar.ms C:\WINDOWS\tool2[Caution: ExecutableFile] Infected: not-virus:Hoax.Win32.Renos.w C:\winstall[Caution: ExecutableFile] Infected: not-virus:Hoax.Win32.Renos.w Scan process completed. So I delete them manually? :roll: Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 12, 2005 Share Posted November 12, 2005 ok, KASPERSKY ON-LINE SCANNER REPORT Saturday, November 12, 2005 19:46:22 Operating System: Microsoft Windows XP Professional, (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 12/11/2005 Kaspersky Anti-Virus database records: 149733 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ G:\ Scan Statistics: Total number of scanned objects: 86541 Number of viruses found: 5 Number of infected objects: 8 Number of suspicious objects: 0 Duration of the scan process: 10842 sec Infected Object Name - Virus Name C:\loader.e3e (CAUTION - executable file) Infected: Trojan-Downloader.Win32.Agent.xq C:\System Volume Information\_restore{CAEECEE7-8A3A-4E01-B2C6-C08321BC59B7}\RP112\A0031031.e3e (CAUTION - executable file) Infected: Trojan.Win32.Small.cy C:\System Volume Information\_restore{CAEECEE7-8A3A-4E01-B2C6-C08321BC59B7}\RP113\A0031189.e3e (CAUTION - executable file) Infected: Trojan.Win32.Small.cy C:\System Volume Information\_restore{CAEECEE7-8A3A-4E01-B2C6-C08321BC59B7}\RP113\A0032217.e3e (CAUTION - executable file) Infected: Backdoor.Win32.Agent.pn C:\System Volume Information\_restore{CAEECEE7-8A3A-4E01-B2C6-C08321BC59B7}\RP113\A0032222.e3e (CAUTION - executable file) Infected: Trojan-Downloader.Win32.Agent.xq C:\System Volume Information\_restore{CAEECEE7-8A3A-4E01-B2C6-C08321BC59B7}\RP86\A0025223.dll Infected: Trojan-Downloader.Win32.IstBar.ms C:\WINDOWS\tool2.e3e (CAUTION - executable file) Infected: not-virus:Hoax.Win32.Renos.w C:\winstall.e3e (CAUTION - executable file) Infected: not-virus:Hoax.Win32.Renos.w Scan process completed. ok most of them are in the restore so you will have to disable system restore (from my experiance @ the McAfee forums). instructions here and here after disabling system restore run your symantec (norton) in safemode and see will it find and delete them. some of them might even come up as adware.[/url] Link to comment Share on other sites More sharing options...
blade995 Posted November 13, 2005 Share Posted November 13, 2005 Go to windowsupdate.microsoft.com and install all critical updates. Including service pack 2. Link to comment Share on other sites More sharing options...
Sharky009 Posted November 13, 2005 Share Posted November 13, 2005 Ok.. I disabled the system restore. I go to safemode. But I can't run the full scan. I can't even run it in normal mode. I'm getting an error like that http://service1.symantec.com/support/nav.nsf/docid/2002100717403806?OpenDocument&src=_mi&product=NAV&version=11.0&language=english&module=3014&error=554&build=STANDARD Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 13, 2005 Share Posted November 13, 2005 ok are you on as the admin? if try running it when ur the admin if that don't work then it looks like you need to do what it says. Link to comment Share on other sites More sharing options...
Sharky009 Posted November 13, 2005 Share Posted November 13, 2005 Yes, I was the administrator. I remember I had alot of errors when installing Norton. So I think it was the fault of the Setup file. Maybe I should try Kaspersky? I'll download the trial maybe? Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 13, 2005 Share Posted November 13, 2005 maybe. (IMHO anything is better than norton). I remember I had alot of errors when installing Norton did you uninstall the previous antivirus(es) properly? (including through the reg) ok forget this idea- its better to be infected than nothing to be infected with. ok heres a wiser option try and use avg free edition and see will it get rid of your viruses. Link to comment Share on other sites More sharing options...
Sharky009 Posted November 14, 2005 Share Posted November 14, 2005 Hmm... I scanned with AVG in safemode. It found only 1 - the "loader[Caution: ExecutableFile]" So I got rid of that. But it didn't find the other ones. Maybe it was because I turned off system restore in Safe mode and didn't restart the computer. :roll: Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 14, 2005 Share Posted November 14, 2005 Backdoor.Prorat Virus. This Trojan allows attackers to access your computer, stealing passwords and personal data. ok, try the online scan again- bit supprised avg didn't find the rest. see if online scans can get rid of them. panda+ trend should fix them up. Use TrendMicro +++++ If you are unable to run the activeX Antivirus Scanners, lets try this Java based solution from Trend Micro. For housecall/ trendmicro follow the prompts to scan your hard drive for viruses. Select the "Autoclean" option so that Housecall will remove any viruses from your system. When the scan is finished, please restart your computer. Then please run the Panda scan here: http://www.pandasoftware.com/products/a ... ncipal.htm Choose to "Disinfect automatically," and follow the prompts. Delete any viruses found, and restart your computer. post the results here. Link to comment Share on other sites More sharing options...
Sharky009 Posted November 15, 2005 Share Posted November 15, 2005 Housecall found 23 spyware. Got rid of them. Panda scan found ThisIncident Status Location Adware:adware/spysheriff No disinfected C:\winstall[Caution: ExecutableFile] Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\kl[Caution: ExecutableFile] Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32a.sys Adware:adware/isearch No disinfected C:\WINDOWS\tool2[Caution: ExecutableFile] Adware:adware/need2find No disinfected C:\PROGRAM FILES\Need2Find Spyware:spyware/dyfuca No disinfected Windows Registry Possible Virus. No disinfected C:\Program Files\Valve\cstrike\nk hack.dll Possible Virus. No disinfected C:\Program Files\Valve\nk hack.dll Adware:Adware/SpySheriff No disinfected C:\WINDOWS\tool2[Caution: ExecutableFile] Adware:Adware/SpySheriff No disinfected C:\winstall[Caution: ExecutableFile] Didn't delete them automatically so had to delete them manually.. But I couldn't delete this "kl[Caution: ExecutableFile]" //Edit: Ok I read another thread on this forum. A guy with a similar problem like mine posted this screenshot... I had the same thing. And I had a weird background. It wasn't the one what u, coltm4carbine, showed to him - It was something else. I can't remember it very much. And I still can't change my desktop wallpaper. Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 15, 2005 Share Posted November 15, 2005 Incident Status Location Adware:adware/spysheriff No disinfected C:\winstall.e3e (CAUTION - executable file) Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\kl.e3e (CAUTION - executable file) Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32a.sys Adware:adware/isearch No disinfected C:\WINDOWS\tool2.e3e (CAUTION - executable file) Adware:adware/need2find No disinfected C:\PROGRAM FILES\Need2Find Spyware:spyware/dyfuca No disinfected Windows Registry Possible Virus. No disinfected C:\Program Files\Valve\cstrike\nk hack.dll Possible Virus. No disinfected C:\Program Files\Valve\nk hack.dll Adware:Adware/SpySheriff No disinfected C:\WINDOWS\tool2.e3e (CAUTION - executable file) Adware:Adware/SpySheriff No disinfected C:\winstall.e3e (CAUTION - executable file) Didn't delete them automatically so had to delete them manually.. But I couldn't delete this ok so your telling me you deleted them manually? (i got a canned fix for spysheriff) post a new HJT log... i take a look at the scan results after i have some sandwiches... apparently you have a CoolWebSearch infection. Download CWShredder ]here to its own folder. Update CWShredder * Open CWShredder and click I AGREE * Click Check For Update * Close CWShredder Boot into Safe Mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows. then: Please download ewido security suite it is a trial version of the program. [*:26m3tbph]Install ewido security suite [*:26m3tbph]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". [*:26m3tbph]Launch ewido, there should be an icon on your desktop double-click it. [*:26m3tbph]The program will prompt you to update click the OK button [*:26m3tbph]The program will now go to the main screenYou will need to update ewido to the latest definition files. [*:26m3tbph]On the left hand side of the main screen click update [*:26m3tbph]Click on StartThe update will start and a progress bar will show the updates being installed. Once the updates are installed do the following: [*:26m3tbph]Click on scanner [*:26m3tbph]Make sure the following boxes are checked before scanning: [*:26m3tbph]Binder [*:26m3tbph]Crypter [*:26m3tbph]Archives [*:26m3tbph]Click on Start Scan [*:26m3tbph]Let the program scan the machineWhile the scan is in progress you will be prompted to clean files, click OK Once the scan has completed, there will be a button located on the bottom of the screen named Save report [*:26m3tbph]Click Save report [*:26m3tbph]Save the report to your desktopReboot your machine and post back a new HJT Log and the Ewido Scan .txt Log file you saved by using Add Reply Link to comment Share on other sites More sharing options...
Sharky009 Posted November 15, 2005 Share Posted November 15, 2005 Ok will post the log in a sec. But check up to my last post... Maybe u can say something about this? And yes, manually as "Pressed delete button on keyboard" :P Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 15, 2005 Share Posted November 15, 2005 oh god no.... i hate it when things like these happen... yeh i know what you mean. haven't even got my sandwich out of my fridge yet and this happened... run the scans and i see what to do next. btw the background, i think, is caused by spysheriff. Link to comment Share on other sites More sharing options...
Sharky009 Posted November 15, 2005 Share Posted November 15, 2005 CWShredder didn't find anything... :? HiJackThis log after the scans. Logfile of HijackThis v1.99.1 Scan saved at 23:23:21, on 15.11.2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss[Caution: ExecutableFile] C:\WINDOWS\system32\winlogon[Caution: ExecutableFile] C:\WINDOWS\system32\services[Caution: ExecutableFile] C:\WINDOWS\system32\lsass[Caution: ExecutableFile] C:\WINDOWS\system32\svchost[Caution: ExecutableFile] C:\WINDOWS\System32\svchost[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile] C:\PROGRA~1\COMMON~1\Stardock\SDMCP[Caution: ExecutableFile] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload[Caution: ExecutableFile] C:\WINDOWS\Explorer[Caution: ExecutableFile] C:\Program Files\Java\jre1.5.0_04\bin\jusched[Caution: ExecutableFile] C:\WINDOWS\System32\RUNDLL32[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] C:\Documents and Settings\Sander\Desktop\ares\Ares Lite Edition\AresLite[Caution: ExecutableFile] C:\Program Files\CursorXP\CursorXP[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile] C:\Program Files\ewido\security suite\ewidoctrl[Caution: ExecutableFile] C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile] C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile] C:\WINDOWS\System32\nvsvc32[Caution: ExecutableFile] C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService[Caution: ExecutableFile] C:\Program Files\Webroot\Spy Sweeper\WRSSSDK[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile] C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr[Caution: ExecutableFile] C:\WINDOWS\System32\wuauclt[Caution: ExecutableFile] C:\Hijackthis\HijackThis[Caution: ExecutableFile] O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck[Caution: ExecutableFile] O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched[Caution: ExecutableFile] O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz[Caution: ExecutableFile] /install O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05[Caution: ExecutableFile] O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a[Caution: ExecutableFile] O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon[Caution: ExecutableFile]" -lang 1033 O4 - HKLM\..\Run: [bootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin[Caution: ExecutableFile]" /StartupJobs O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio[Caution: ExecutableFile]" /RANDOM O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]" O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt[Caution: ExecutableFile] O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon[Caution: ExecutableFile] /Consumer O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper[Caution: ExecutableFile]" /startintray O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] /STARTUP O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]" /background O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr[Caution: ExecutableFile]" /background O4 - HKCU\..\Run: [areslite] "C:\Documents and Settings\Sander\Desktop\ares\Ares Lite Edition\AresLite[Caution: ExecutableFile]" -h O4 - HKCU\..\Run: [CursorXP] "C:\Program Files\CursorXP\CursorXP[Caution: ExecutableFile]" -s O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire[Caution: ExecutableFile] O4 - Global Startup: Adobe Gamma Loader[Caution: ExecutableFile].lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader[Caution: ExecutableFile] O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader[Caution: ExecutableFile] O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA[Caution: ExecutableFile] O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL[Caution: ExecutableFile]/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F28B19E0-2F1A-4189-97C7-CF3FDED1F881}: NameServer = 194.126.115.18 194.126.101.34 O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile] O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile] O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile] O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc[Caution: ExecutableFile] O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile] O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl[Caution: ExecutableFile] O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile] O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile] O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32[Caution: ExecutableFile] O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan[Caution: ExecutableFile] O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ[Caution: ExecutableFile] O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile] O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile] O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService[Caution: ExecutableFile] O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK[Caution: ExecutableFile] O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile] O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr[Caution: ExecutableFile] Ewido results --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 23:16:24, 15.11.2005 + Report-Checksum: E37F7103 + Scan result: HKLM\SOFTWARE\Need2Find -> Spyware.Need2Find : Cleaned with backup HKLM\SOFTWARE\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup HKLM\SOFTWARE\Need2Find\bar\Partner -> Spyware.Need2Find : Cleaned with backup HKU\S-1-5-21-1417001333-1677128483-682003330-1004\Software\Need2Find -> Spyware.Need2Find : Cleaned with backup HKU\S-1-5-21-1417001333-1677128483-682003330-1004\Software\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup C:\Documents and Settings\Rein\Cookies\[email protected][2].txt -> Spyware.Cookie.Adocean : Cleaned with backup C:\Documents and Settings\Sander\Cookies\sander@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup C:\Documents and Settings\Sander\Cookies\sander@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup C:\Documents and Settings\Sander\Cookies\sander@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup C:\Documents and Settings\Sander\Cookies\sander@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup C:\Program Files\Need2Find -> Spyware.Need2Find : Cleaned with backup C:\Program Files\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup C:\Program Files\Need2Find\bar\History -> Spyware.Need2Find : Cleaned with backup C:\Program Files\Need2Find\bar\History\%21.jpg -> Spyware.Need2Find : Cleaned with backup C:\Program Files\Need2Find\bar\History\%23.jpg -> Spyware.Need2Find : Cleaned with backup C:\Program Files\Need2Find\bar\History\%ÃÆââ¬Å¡Ãâä2.jpg -> Spyware.Need2Find : Cleaned with backup C:\Program Files\Need2Find\bar\History\)ÃÆââ¬Å¡Ãâä2.jpg -> Spyware.Need2Find : Cleaned with backup C:\Program Files\Need2Find\bar\Settings -> Spyware.Need2Find : Cleaned with backup C:\RECYCLER\S-1-5-21-1417001333-1677128483-682003330-1004\Dc3[Caution: ExecutableFile] -> Not-A-Virus.Hoax.Win32.Renos.w : Cleaned with backup C:\RECYCLER\S-1-5-21-1417001333-1677128483-682003330-1004\Dc4[Caution: ExecutableFile] -> Not-A-Virus.Hoax.Win32.Renos.w : Cleaned with backup C:\WINDOWS\explorer1[Caution: ExecutableFile] -> TrojanDropper.Small.aia : Cleaned with backup ::Report End Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 15, 2005 Share Posted November 15, 2005 hows ur pc now? ewido should of cleaned out most (if you have rebooted). Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items (if found), then click fix checked. O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F28B19E0-2F1A-4189-97C7-CF3FDED1F881}: NameServer = 194.126.115.18 194.126.101.34 <- If you see entries for this and do not recognize the domain as belonging to your ISP or company, and the DNS servers do not belong to your ISP or company, then you should have HijackThis fix it. info about the o17: Registrant: Elion Ettevtted Aktsiaselts (end. AS Eesti Telefon) Hobujaama 4 Tallinn 15033 TEL 639 7213 FAX 639 7341 Domain Name: estpak.ee Contacts: Andres Kepler [email protected] can you update your windows? if you can do it. Link to comment Share on other sites More sharing options...
weezcake Posted November 15, 2005 Share Posted November 15, 2005 O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab This is needed to download things off fileplanet.com. Without it, nothing will download. :wink: ==================================Retired tip.it moderator.Teaching and inspiring. Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 16, 2005 Share Posted November 16, 2005 O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab This is needed to download things off fileplanet.com. Without it, nothing will download. opps my bad I had too stay up quite late to see his reply, It shouldn't matter too much because o16s are all active x objects. If they will be needed again then all you have to do is to redownload it. If you cannot redownload it for any reasons you can always restore the entry. just shows how important it is to move HJT into it's own folder... ok back to business- canned for restoring HJT backups. To restore the backups: [*:bk3c2cuj]Open HiJackThis [*:bk3c2cuj]Click Open the Misc Tools section [*:bk3c2cuj]Click the Backups button [*:bk3c2cuj]Place a check mark next to O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab [*:bk3c2cuj]Click Restore [*:bk3c2cuj]Click Yes [*:bk3c2cuj]Reboot your computer [*:bk3c2cuj]Re-open HiJackThis and post a new logfile for review. Link to comment Share on other sites More sharing options...
weezcake Posted November 16, 2005 Share Posted November 16, 2005 I don't think it's really a problem if he deleted it. He'll just have to redownload it, and it should work again. :) ==================================Retired tip.it moderator.Teaching and inspiring. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now