Self-installing virus

niligo · January 7, 2007

Well about every 2 seconds, my norton antivirus pops up with a virus always having almost the same name as previous. Names are tmp21.tmp, tmp22.tmp, tmp23.tmp, ... these are located in C:\WINDOWS\TEMP\

Norton deletes them everytime and when the virus is on tmp99.tmp, it just starts with letters so It isn't really ending. The name of the virusis called Hacktool.Rootkit

I'm running on windows xp, although I don't think that has to do much with it.

Norton sends me this link about the virus on how to remove them and information about the virus, but it didn't help (I followed the steps carefully, also tried booting in safe mode): http://www.symantec.com/security_respon ... 99&tabid=1

If you need any more information, I'll gladly tell what you may need in order to find a solution.

Thanks in advance :pray:

Bufoman · January 7, 2007

if its located in your temperary directory have you tried runing disk clean up to remove the files in there?

niligo · January 7, 2007

Going to do now then, I'll post when it's finished, it's going slow so yeah.

I also scanned with hijackthis and had the log analyzed by the site that does this (searched on google so don't remember url, think it was hijackthis.de) but it said on everything that it was clean.

EDIT: I have dvt[Caution: ExecutableFile] and a d_v_t in my C:\ directory, is that normal? I don't think I had it previously...

coltm4carbine · January 7, 2007

smells like a rootkit.

I was just dealing with one before I checked here xD (coincidence?)

do you have the thread to your HJT log?

can you also post your HJT log on here please? I think I know what those temp files are related to.

If you do online banking or anything like that then I strongly suggest you to change all the passwords on a clean computer. If this is a rootkit then your computer can be completely compromised.

niligo · January 7, 2007

Disk Clean up didn't work

HJT log if this is what you mean:

Logfile of HijackThis v1.99.1

Scan saved at 22:02:44, on 7/01/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss[Caution: ExecutableFile]

C:\WINDOWS\system32\winlogon[Caution: ExecutableFile]

C:\WINDOWS\system32\services[Caution: ExecutableFile]

C:\WINDOWS\system32\lsass[Caution: ExecutableFile]

C:\WINDOWS\system32\Ati2evxx[Caution: ExecutableFile]

C:\WINDOWS\system32\svchost[Caution: ExecutableFile]

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile]

C:\WINDOWS\system32\Ati2evxx[Caution: ExecutableFile]

C:\WINDOWS\Explorer[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile]

C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile]

C:\Program Files\Acer\Acer eConsole\MediaServerService[Caution: ExecutableFile]

C:\Acer\Empowering Technology\ePerformance\MemCheck[Caution: ExecutableFile]

C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc[Caution: ExecutableFile]

C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer[Caution: ExecutableFile]

C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile]

C:\Program Files\Eset\nod32krn[Caution: ExecutableFile]

C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile]

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc[Caution: ExecutableFile]

C:\WINDOWS\system32\HPZipm12[Caution: ExecutableFile]

C:\WINDOWS\system32\svchost[Caution: ExecutableFile]

C:\Program Files\Acer TV-FM\Kernel\TV\CLSched[Caution: ExecutableFile]

C:\WINDOWS\RTHDCPL[Caution: ExecutableFile]

C:\Program Files\Java\jre1.5.0_09\bin\jusched[Caution: ExecutableFile]

C:\WINDOWS\system32\SysMonitor[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]

C:\Program Files\MessengerPlus! 3\MsgPlus[Caution: ExecutableFile]

C:\Acer\Empowering Technology\eRecovery\eRAgent[Caution: ExecutableFile]

C:\Program Files\Support.com\bin\tgcmd[Caution: ExecutableFile]

C:\WINDOWS\system32\rundll32[Caution: ExecutableFile]

C:\Program Files\Eset\nod32kui[Caution: ExecutableFile]

C:\Program Files\Spybot - Search & Destroy\TeaTimer[Caution: ExecutableFile]

C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile]

C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

C:\WINDOWS\system32\NotifyPhoneBook[Caution: ExecutableFile]

C:\Program Files\MSN Messenger\msnmsgr[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE[Caution: ExecutableFile]

C:\Program Files\Mozilla Firefox\firefox[Caution: ExecutableFile]

C:\DOCUME~1\DEKONI~1\LOCALS~1\Temp\Rar$EX01.141\HijackThis[Caution: ExecutableFile]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.skynet.be/search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [LaunchApp] Alaunch

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut[Caution: ExecutableFile]

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL[Caution: ExecutableFile]

O4 - HKLM\..\Run: [Alcmtr] ALCMTR[Caution: ExecutableFile]

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched[Caution: ExecutableFile]"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG[Caution: ExecutableFile]" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst[Caution: ExecutableFile] /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP[Caution: ExecutableFile] /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP[Caution: ExecutableFile] /IMEName

O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor[Caution: ExecutableFile]

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus[Caution: ExecutableFile]"

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd[Caution: ExecutableFile]" /server /startmonitor

O4 - HKLM\..\Run: [winhost] C:\WINDOWS\winhost[Caution: ExecutableFile]

O4 - HKLM\..\Run: [AME_CSA] rundll32 csa.cpl,RUN_DLL

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui[Caution: ExecutableFile]" /WAITSERVICE

O4 - HKLM\..\Run: [D_V_T] C:\\dvt[Caution: ExecutableFile] /S \C:\\d_v_t.reg\

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus[Caution: ExecutableFile]" /WinStart

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer[Caution: ExecutableFile]

O4 - HKCU\..\Run: [ctfmon[Caution: ExecutableFile]] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile]

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]" /background

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL[Caution: ExecutableFile]/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag[Caution: ExecutableFile] (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag[Caution: ExecutableFile] (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://yoika.spaces.live.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0257000785

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by110fd.bay110.hotmail.msn.com/a ... Atchmt.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{0D15E8B4-6F60-4092-8B0D-B28F1C2F364F}: NameServer = 195.238.2.22 195.238.2.21

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService[Caution: ExecutableFile]

O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck[Caution: ExecutableFile]

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc[Caution: ExecutableFile] (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx[Caution: ExecutableFile]

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag[Caution: ExecutableFile]

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile]

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile]

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc[Caution: ExecutableFile]

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer TV-FM\Kernel\TV\CLSched[Caution: ExecutableFile]

O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer[Caution: ExecutableFile]

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT[Caution: ExecutableFile]

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1[Caution: ExecutableFile]

O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile]

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn[Caution: ExecutableFile]

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile]

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE[Caution: ExecutableFile]

O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc[Caution: ExecutableFile]

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12[Caution: ExecutableFile]

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan[Caution: ExecutableFile]

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile]

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile]

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile]

I'm not logging in with anything now, I just want to be on the safe side...

And what do you mean with my computer can be completely compromised? My excuses for my bad english, it's not my motherlanguage :anxious:

coltm4carbine · January 7, 2007

Before I even take a proper look at your log. answer me this.

Are you using a cracked version of Nod32 (your using nod32 without paying)?

Compromised means taken over.

niligo · January 7, 2007

Yes I do :oops:

coltm4carbine · January 7, 2007

I'm not sure about the sites policy on helping people using cracked software but I don't usually help them. (can someone clear this up for me?)

Can you move HJT into it's own folder on the desktop for a start?

Also you have 2 antiviruses. That's not good. Uninstall one of them.

niligo · January 7, 2007

Moved HJT to desktop and I'm going to uninstall nod32 then, see what it gives, I downloaded it because they said it was much better than norton. :wall:

EDIT: I'm going to sleep now, I'll check back tomorrow, it's 11 pm here and I have school tomorrow, so goodnight and thank you very much for your time!

coltm4carbine · January 7, 2007

Let's get rid of some viruses first.

Disable spybot teatimer.

Please go HERE to run Panda's ActiveScan

[*:39uk0my4]Once you are on the Panda site click the Scan your PC button

[*:39uk0my4]A new window will open...click the Check Now button

[*:39uk0my4]Enter your Country

[*:39uk0my4]Enter your State/Province

[*:39uk0my4]Enter your e-mail address and click send

[*:39uk0my4]Select either Home User or Company

[*:39uk0my4]Click the big Scan Now button

[*:39uk0my4]If it wants to install an ActiveX component allow it

[*:39uk0my4]It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

[*:39uk0my4]When download is complete, click on My Computer to start the scan

[*:39uk0my4]When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

niligo · January 8, 2007

We're sorry. ActiveScan requires the browser Microsoft Internet Explorer 5.0 or later version.

I tried running it on IE v6 and 7, Any help?

coltm4carbine · January 8, 2007

Are your settings the default settings?

Try housecall.

TrendMicroÃÆÃÂ¢ÃÂ¢Ã¢âÂ¬ÃÂ¾ÃâÃÂ¢ HouseCall Java Scan

[*:1kb6gkri]Please go

HERE to run the Trend MicroÃÆÃÂ¢ÃÂ¢Ã¢âÂ¬ÃÂ¾ÃâÃÂ¢ HouseCall Scan.

[*:1kb6gkri]Click Scan now. It's free!

[*:1kb6gkri]Read and put a Check next to Yes I accept the terms of use.

[*:1kb6gkri]Click the Launching HouseCall>> button.

[*:1kb6gkri]Under Using Java-based HouseCall kernel click the Starting HouseCall>> button.

[*:1kb6gkri]You may receive a Security Warning about the TrendMicro Java applet, click YES.

[*:1kb6gkri]Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.

[*:1kb6gkri]Please be patient while it installs, updates, and scans your system.

[*:1kb6gkri]Once the scan is complete, it will take you to the summary page.

[*:1kb6gkri]Under Cleanup options, choose clean all detected infections automatically.

[*:1kb6gkri]Click the Clean now>> button.

[*:1kb6gkri]If anything was found you may be prompted to run the scan again, you can just close the browser window.

niligo · January 8, 2007

Reset IE to default settings, but I still get the error.

Virus looks dead now since I uninstalled the nod32 app and today norton deleted a file but didn't show a name so I think it was that.

I'm going to scan with housecall though to be safe.

coltm4carbine · January 8, 2007

Ok post a new HJT log afterwards please, I wanna check that the file's gone.

Let this be a lesson to you not to use cracks...It's bad for your computer.

Forgot from my last post. if you can get me the housecall log. :oops:

niligo · January 8, 2007

Housecall wanted me to uninstall norton in order to be able to install housecall so I'm not scanning with it, anyway here's the log:

Logfile of HijackThis v1.99.1

Scan saved at 18:30:58, on 8/01/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:

C:\WINDOWS\System32\smss[Caution: ExecutableFile]

C:\WINDOWS\system32\winlogon[Caution: ExecutableFile]

C:\WINDOWS\system32\services[Caution: ExecutableFile]

C:\WINDOWS\system32\lsass[Caution: ExecutableFile]

C:\WINDOWS\system32\Ati2evxx[Caution: ExecutableFile]

C:\WINDOWS\system32\svchost[Caution: ExecutableFile]

C:\WINDOWS\System32\svchost[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile]

C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile]

C:\Program Files\Acer\Acer eConsole\MediaServerService[Caution: ExecutableFile]

C:\Acer\Empowering Technology\ePerformance\MemCheck[Caution: ExecutableFile]

C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc[Caution: ExecutableFile]

C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer[Caution: ExecutableFile]

C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile]

C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile]

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc[Caution: ExecutableFile]

C:\WINDOWS\system32\HPZipm12[Caution: ExecutableFile]

C:\WINDOWS\system32\svchost[Caution: ExecutableFile]

C:\Program Files\Acer TV-FM\Kernel\TV\CLSched[Caution: ExecutableFile]

C:\WINDOWS\RTHDCPL[Caution: ExecutableFile]

C:\Program Files\Java\jre1.5.0_09\bin\jusched[Caution: ExecutableFile]

C:\WINDOWS\system32\SysMonitor[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]

C:\Program Files\MessengerPlus! 3\MsgPlus[Caution: ExecutableFile]

C:\Program Files\Support.com\bin\tgcmd[Caution: ExecutableFile]

C:\Acer\Empowering Technology\eRecovery\eRAgent[Caution: ExecutableFile]

C:\WINDOWS\explorer[Caution: ExecutableFile]

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE[Caution: ExecutableFile]

C:\Program Files\Mozilla Firefox\firefox[Caution: ExecutableFile]

C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile]

C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

c:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32[Caution: ExecutableFile]

C:\WINDOWS\system32\msiexec[Caution: ExecutableFile]

C:\Documents and Settings\De Koninck\Bureaublad\HijackThis[Caution: ExecutableFile]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [LaunchApp] Alaunch

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut[Caution: ExecutableFile]

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL[Caution: ExecutableFile]

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched[Caution: ExecutableFile]"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG[Caution: ExecutableFile]" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst[Caution: ExecutableFile] /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP[Caution: ExecutableFile] /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP[Caution: ExecutableFile] /IMEName

O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor[Caution: ExecutableFile]

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus[Caution: ExecutableFile]"

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd[Caution: ExecutableFile]" /server /startmonitor

O4 - HKLM\..\Run: [AME_CSA] rundll32 csa.cpl,RUN_DLL

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [winhost] C:\WINDOWS\winhost[Caution: ExecutableFile]

O4 - HKLM\..\Run: [D_V_T] C:\\dvt[Caution: ExecutableFile] /S \C:\\d_v_t.reg\

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus[Caution: ExecutableFile]" /WinStart

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer[Caution: ExecutableFile]

O4 - HKCU\..\Run: [ctfmon[Caution: ExecutableFile]] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile]

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]" /background

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag[Caution: ExecutableFile] (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag[Caution: ExecutableFile] (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://yoika.spaces.live.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0257000785

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by110fd.bay110.hotmail.msn.com/a ... Atchmt.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{0D15E8B4-6F60-4092-8B0D-B28F1C2F364F}: NameServer = 195.238.2.22 195.238.2.21

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService[Caution: ExecutableFile]

O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck[Caution: ExecutableFile]

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc[Caution: ExecutableFile] (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx[Caution: ExecutableFile]

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag[Caution: ExecutableFile]

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile]

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile]

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc[Caution: ExecutableFile]

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer TV-FM\Kernel\TV\CLSched[Caution: ExecutableFile]

O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer[Caution: ExecutableFile]

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT[Caution: ExecutableFile]

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1[Caution: ExecutableFile]

O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile]

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile]

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE[Caution: ExecutableFile]

O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc[Caution: ExecutableFile]

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12[Caution: ExecutableFile]

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan[Caution: ExecutableFile]

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile]

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile]

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile]

coltm4carbine · January 8, 2007

That's wierd...never heard of anyone complain about it before.

From your latest log...pretty obvious norton does not do a good job.

When did you last update your norton? Did you pay for it?

I'll give you the fix bit by bit.

Disable teatimer first.

Open HJT and fix these:

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [winhost] C:\WINDOWS\winhost[Caution]

O4 - HKLM\..\Run: [D_V_T] C:\\dvt[Caution] /S \C:\\d_v_t.reg\

Reboot your computer into safemode.

Show hidden files/folders:

Under the Hidden files and folders heading select "Show hidden files and folders".

Uncheck the "Hide protected operating system files (recommended)" option.

Uncheck the "Hide file extensions for known file types" option.

Click Yes to confirm. Click OK.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files/folders (if present):

C:\WINDOWS\winhost[Caution]

C:\\dvt

Reboot and try the online scans again.

niligo · January 8, 2007

I updated like a week ago, then our subscription ran out and my mom doesn't want to pay to renew it. So yes Norton is legal on my comp.

Going to reboot now...

EDIT: Files are deleted, and can't find them after reboot in non-safe mode so that means we cleaned the file? \

coltm4carbine · January 8, 2007

Uninstall norton and get AVG free edition. See if it picks the rest up.

HJT is not a standalone tool and will not show everything.

Download AVG Anti-Spyware from ]HERE and save that file to your desktop.

This is a 30 day trial of the program

[*:3d6tag5k]Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.

[*:3d6tag5k]Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.

[*:3d6tag5k]On the main screen select the icon "Update" then select the "Update now" link.

[*:3d6tag5k]Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

[*:3d6tag5k]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

[*:3d6tag5k]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

[*:3d6tag5k]Under "Reports"

[*:3d6tag5k]Select "Automatically generate report after every scan"

[*:3d6tag5k]Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

[*:3d6tag5k]Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:

[*:3d6tag5k]Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.

[*:3d6tag5k]Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".

[*:3d6tag5k]AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.

Once the scan is complete do the following:

[*:3d6tag5k]If you have any infections you will prompted, then select "Apply all actions"

[*:3d6tag5k]Next select the "Reports" icon at the top.

[*:3d6tag5k]Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

[*:3d6tag5k]Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Then see if the online scans work.

niligo · January 8, 2007

Are you sure I should uninstall norton? Won't I lose my definitions if I reinstall it after scanning with avg? or what antivirus can you recommend me?

coltm4carbine · January 8, 2007

Well, what's the point of an antivirus that won't update??

Unless you've paid for it, and are getting updates...there's no point.

The AVGAS I've told you to download is a trial anyway. It'll pick up the rest of the crap.

For a free antivirus check out the stickies then choose what you want. It's up to you. (EG IMO Norton sucks but to some people it's good)

niligo · January 9, 2007

Did that and it found some more viruses but it didn't leave a log :s

After that I scanned again 0 viruses found and then it did leave a log, strange.

Anyway, I think I'm safe for now, haven't seen anything bad since scan so yeah.

And I really thank you for your time! If there's anything I can do back just tell :

Self-installing virus

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Important Information