niligo Posted January 7, 2007 Share Posted January 7, 2007 Well about every 2 seconds, my norton antivirus pops up with a virus always having almost the same name as previous. Names are tmp21.tmp, tmp22.tmp, tmp23.tmp, ... these are located in C:\WINDOWS\TEMP\ Norton deletes them everytime and when the virus is on tmp99.tmp, it just starts with letters so It isn't really ending. The name of the virusis called Hacktool.Rootkit I'm running on windows xp, although I don't think that has to do much with it. Norton sends me this link about the virus on how to remove them and information about the virus, but it didn't help (I followed the steps carefully, also tried booting in safe mode): http://www.symantec.com/security_respon ... 99&tabid=1 If you need any more information, I'll gladly tell what you may need in order to find a solution. Thanks in advance :pray: Link to comment Share on other sites More sharing options...
Bufoman Posted January 7, 2007 Share Posted January 7, 2007 if its located in your temperary directory have you tried runing disk clean up to remove the files in there? Clan Moderator from December 15th 2006- August 20th 2007Founder of: Terran Gamers, formerly known as Militos Deci Link to comment Share on other sites More sharing options...
niligo Posted January 7, 2007 Author Share Posted January 7, 2007 Going to do now then, I'll post when it's finished, it's going slow so yeah. I also scanned with hijackthis and had the log analyzed by the site that does this (searched on google so don't remember url, think it was hijackthis.de) but it said on everything that it was clean. EDIT: I have dvt[Caution: ExecutableFile] and a d_v_t in my C:\ directory, is that normal? I don't think I had it previously... Link to comment Share on other sites More sharing options...
coltm4carbine Posted January 7, 2007 Share Posted January 7, 2007 smells like a rootkit. I was just dealing with one before I checked here xD (coincidence?) do you have the thread to your HJT log? can you also post your HJT log on here please? I think I know what those temp files are related to. If you do online banking or anything like that then I strongly suggest you to change all the passwords on a clean computer. If this is a rootkit then your computer can be completely compromised. Link to comment Share on other sites More sharing options...
niligo Posted January 7, 2007 Author Share Posted January 7, 2007 Disk Clean up didn't work HJT log if this is what you mean: Logfile of HijackThis v1.99.1 Scan saved at 22:02:44, on 7/01/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss[Caution: ExecutableFile] C:\WINDOWS\system32\winlogon[Caution: ExecutableFile] C:\WINDOWS\system32\services[Caution: ExecutableFile] C:\WINDOWS\system32\lsass[Caution: ExecutableFile] C:\WINDOWS\system32\Ati2evxx[Caution: ExecutableFile] C:\WINDOWS\system32\svchost[Caution: ExecutableFile] C:\WINDOWS\System32\svchost[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile] C:\WINDOWS\system32\Ati2evxx[Caution: ExecutableFile] C:\WINDOWS\Explorer[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile] C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile] C:\Program Files\Acer\Acer eConsole\MediaServerService[Caution: ExecutableFile] C:\Acer\Empowering Technology\ePerformance\MemCheck[Caution: ExecutableFile] C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc[Caution: ExecutableFile] C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer[Caution: ExecutableFile] C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile] C:\Program Files\Eset\nod32krn[Caution: ExecutableFile] C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc[Caution: ExecutableFile] C:\WINDOWS\system32\HPZipm12[Caution: ExecutableFile] C:\WINDOWS\system32\svchost[Caution: ExecutableFile] C:\Program Files\Acer TV-FM\Kernel\TV\CLSched[Caution: ExecutableFile] C:\WINDOWS\RTHDCPL[Caution: ExecutableFile] C:\Program Files\Java\jre1.5.0_09\bin\jusched[Caution: ExecutableFile] C:\WINDOWS\system32\SysMonitor[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile] C:\Program Files\MessengerPlus! 3\MsgPlus[Caution: ExecutableFile] C:\Acer\Empowering Technology\eRecovery\eRAgent[Caution: ExecutableFile] C:\Program Files\Support.com\bin\tgcmd[Caution: ExecutableFile] C:\WINDOWS\system32\rundll32[Caution: ExecutableFile] C:\Program Files\Eset\nod32kui[Caution: ExecutableFile] C:\Program Files\Spybot - Search & Destroy\TeaTimer[Caution: ExecutableFile] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] C:\WINDOWS\system32\NotifyPhoneBook[Caution: ExecutableFile] C:\Program Files\MSN Messenger\msnmsgr[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE[Caution: ExecutableFile] C:\Program Files\Mozilla Firefox\firefox[Caution: ExecutableFile] C:\DOCUME~1\DEKONI~1\LOCALS~1\Temp\Rar$EX01.141\HijackThis[Caution: ExecutableFile] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.skynet.be/search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:8080 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut[Caution: ExecutableFile] O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL[Caution: ExecutableFile] O4 - HKLM\..\Run: [Alcmtr] ALCMTR[Caution: ExecutableFile] O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched[Caution: ExecutableFile]" O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG[Caution: ExecutableFile]" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst[Caution: ExecutableFile] /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP[Caution: ExecutableFile] /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP[Caution: ExecutableFile] /IMEName O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor[Caution: ExecutableFile] O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]" O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus[Caution: ExecutableFile]" O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd[Caution: ExecutableFile]" /server /startmonitor O4 - HKLM\..\Run: [winhost] C:\WINDOWS\winhost[Caution: ExecutableFile] O4 - HKLM\..\Run: [AME_CSA] rundll32 csa.cpl,RUN_DLL O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui[Caution: ExecutableFile]" /WAITSERVICE O4 - HKLM\..\Run: [D_V_T] C:\\dvt[Caution: ExecutableFile] /S \C:\\d_v_t.reg\ O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus[Caution: ExecutableFile]" /WinStart O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer[Caution: ExecutableFile] O4 - HKCU\..\Run: [ctfmon[Caution: ExecutableFile]] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]" /background O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL[Caution: ExecutableFile]/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag[Caution: ExecutableFile] (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag[Caution: ExecutableFile] (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://yoika.spaces.live.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0257000785 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by110fd.bay110.hotmail.msn.com/a ... Atchmt.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{0D15E8B4-6F60-4092-8B0D-B28F1C2F364F}: NameServer = 195.238.2.22 195.238.2.21 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService[Caution: ExecutableFile] O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck[Caution: ExecutableFile] O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc[Caution: ExecutableFile] (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx[Caution: ExecutableFile] O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag[Caution: ExecutableFile] O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile] O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc[Caution: ExecutableFile] O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer TV-FM\Kernel\TV\CLSched[Caution: ExecutableFile] O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer[Caution: ExecutableFile] O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT[Caution: ExecutableFile] O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1[Caution: ExecutableFile] O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile] O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn[Caution: ExecutableFile] O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile] O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE[Caution: ExecutableFile] O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc[Caution: ExecutableFile] O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12[Caution: ExecutableFile] O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan[Caution: ExecutableFile] O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile] O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile] O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile] I'm not logging in with anything now, I just want to be on the safe side... And what do you mean with my computer can be completely compromised? My excuses for my bad english, it's not my motherlanguage :anxious: Link to comment Share on other sites More sharing options...
coltm4carbine Posted January 7, 2007 Share Posted January 7, 2007 Before I even take a proper look at your log. answer me this. Are you using a cracked version of Nod32 (your using nod32 without paying)? Compromised means taken over. Link to comment Share on other sites More sharing options...
niligo Posted January 7, 2007 Author Share Posted January 7, 2007 Yes I do :oops: Link to comment Share on other sites More sharing options...
coltm4carbine Posted January 7, 2007 Share Posted January 7, 2007 I'm not sure about the sites policy on helping people using cracked software but I don't usually help them. (can someone clear this up for me?) Can you move HJT into it's own folder on the desktop for a start? Also you have 2 antiviruses. That's not good. Uninstall one of them. Link to comment Share on other sites More sharing options...
niligo Posted January 7, 2007 Author Share Posted January 7, 2007 Moved HJT to desktop and I'm going to uninstall nod32 then, see what it gives, I downloaded it because they said it was much better than norton. :wall: EDIT: I'm going to sleep now, I'll check back tomorrow, it's 11 pm here and I have school tomorrow, so goodnight and thank you very much for your time! Link to comment Share on other sites More sharing options...
coltm4carbine Posted January 7, 2007 Share Posted January 7, 2007 Let's get rid of some viruses first. Disable spybot teatimer. Please go HERE to run Panda's ActiveScan [*:39uk0my4]Once you are on the Panda site click the Scan your PC button [*:39uk0my4]A new window will open...click the Check Now button [*:39uk0my4]Enter your Country [*:39uk0my4]Enter your State/Province [*:39uk0my4]Enter your e-mail address and click send [*:39uk0my4]Select either Home User or Company [*:39uk0my4]Click the big Scan Now button [*:39uk0my4]If it wants to install an ActiveX component allow it [*:39uk0my4]It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) [*:39uk0my4]When download is complete, click on My Computer to start the scan [*:39uk0my4]When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report Link to comment Share on other sites More sharing options...
niligo Posted January 8, 2007 Author Share Posted January 8, 2007 We're sorry. ActiveScan requires the browser Microsoft Internet Explorer 5.0 or later version. I tried running it on IE v6 and 7, Any help? Link to comment Share on other sites More sharing options...
coltm4carbine Posted January 8, 2007 Share Posted January 8, 2007 Are your settings the default settings? Try housecall. TrendMicroÃÆââââ¬Ã¾Ãââ HouseCall Java Scan [*:1kb6gkri]Please go HERE to run the Trend MicroÃÆââââ¬Ã¾Ãââ HouseCall Scan. [*:1kb6gkri]Click Scan now. It's free! [*:1kb6gkri]Read and put a Check next to Yes I accept the terms of use. [*:1kb6gkri]Click the Launching HouseCall>> button. [*:1kb6gkri]Under Using Java-based HouseCall kernel click the Starting HouseCall>> button. [*:1kb6gkri]You may receive a Security Warning about the TrendMicro Java applet, click YES. [*:1kb6gkri]Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button. [*:1kb6gkri]Please be patient while it installs, updates, and scans your system. [*:1kb6gkri]Once the scan is complete, it will take you to the summary page. [*:1kb6gkri]Under Cleanup options, choose clean all detected infections automatically. [*:1kb6gkri]Click the Clean now>> button. [*:1kb6gkri]If anything was found you may be prompted to run the scan again, you can just close the browser window. Link to comment Share on other sites More sharing options...
niligo Posted January 8, 2007 Author Share Posted January 8, 2007 Reset IE to default settings, but I still get the error. Virus looks dead now since I uninstalled the nod32 app and today norton deleted a file but didn't show a name so I think it was that. I'm going to scan with housecall though to be safe. Link to comment Share on other sites More sharing options...
coltm4carbine Posted January 8, 2007 Share Posted January 8, 2007 Ok post a new HJT log afterwards please, I wanna check that the file's gone. Let this be a lesson to you not to use cracks...It's bad for your computer. Forgot from my last post. if you can get me the housecall log. :oops: Link to comment Share on other sites More sharing options...
niligo Posted January 8, 2007 Author Share Posted January 8, 2007 Housecall wanted me to uninstall norton in order to be able to install housecall so I'm not scanning with it, anyway here's the log: Logfile of HijackThis v1.99.1 Scan saved at 18:30:58, on 8/01/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss[Caution: ExecutableFile] C:\WINDOWS\system32\winlogon[Caution: ExecutableFile] C:\WINDOWS\system32\services[Caution: ExecutableFile] C:\WINDOWS\system32\lsass[Caution: ExecutableFile] C:\WINDOWS\system32\Ati2evxx[Caution: ExecutableFile] C:\WINDOWS\system32\svchost[Caution: ExecutableFile] C:\WINDOWS\System32\svchost[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile] C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile] C:\Program Files\Acer\Acer eConsole\MediaServerService[Caution: ExecutableFile] C:\Acer\Empowering Technology\ePerformance\MemCheck[Caution: ExecutableFile] C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc[Caution: ExecutableFile] C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer[Caution: ExecutableFile] C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile] C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc[Caution: ExecutableFile] C:\WINDOWS\system32\HPZipm12[Caution: ExecutableFile] C:\WINDOWS\system32\svchost[Caution: ExecutableFile] C:\Program Files\Acer TV-FM\Kernel\TV\CLSched[Caution: ExecutableFile] C:\WINDOWS\RTHDCPL[Caution: ExecutableFile] C:\Program Files\Java\jre1.5.0_09\bin\jusched[Caution: ExecutableFile] C:\WINDOWS\system32\SysMonitor[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile] C:\Program Files\MessengerPlus! 3\MsgPlus[Caution: ExecutableFile] C:\Program Files\Support.com\bin\tgcmd[Caution: ExecutableFile] C:\Acer\Empowering Technology\eRecovery\eRAgent[Caution: ExecutableFile] C:\WINDOWS\explorer[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE[Caution: ExecutableFile] C:\Program Files\Mozilla Firefox\firefox[Caution: ExecutableFile] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] c:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32[Caution: ExecutableFile] C:\WINDOWS\system32\msiexec[Caution: ExecutableFile] C:\Documents and Settings\De Koninck\Bureaublad\HijackThis[Caution: ExecutableFile] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.71:8080 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut[Caution: ExecutableFile] O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL[Caution: ExecutableFile] O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched[Caution: ExecutableFile]" O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG[Caution: ExecutableFile]" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst[Caution: ExecutableFile] /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP[Caution: ExecutableFile] /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP[Caution: ExecutableFile] /IMEName O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor[Caution: ExecutableFile] O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]" O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus[Caution: ExecutableFile]" O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd[Caution: ExecutableFile]" /server /startmonitor O4 - HKLM\..\Run: [AME_CSA] rundll32 csa.cpl,RUN_DLL O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [winhost] C:\WINDOWS\winhost[Caution: ExecutableFile] O4 - HKLM\..\Run: [D_V_T] C:\\dvt[Caution: ExecutableFile] /S \C:\\d_v_t.reg\ O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus[Caution: ExecutableFile]" /WinStart O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer[Caution: ExecutableFile] O4 - HKCU\..\Run: [ctfmon[Caution: ExecutableFile]] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile]" /background O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag[Caution: ExecutableFile] (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag[Caution: ExecutableFile] (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://yoika.spaces.live.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0257000785 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by110fd.bay110.hotmail.msn.com/a ... Atchmt.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{0D15E8B4-6F60-4092-8B0D-B28F1C2F364F}: NameServer = 195.238.2.22 195.238.2.21 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService[Caution: ExecutableFile] O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck[Caution: ExecutableFile] O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc[Caution: ExecutableFile] (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx[Caution: ExecutableFile] O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag[Caution: ExecutableFile] O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr[Caution: ExecutableFile] O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer TV-FM\Kernel\TV\CLCapSvc[Caution: ExecutableFile] O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer TV-FM\Kernel\TV\CLSched[Caution: ExecutableFile] O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer TV-FM\Kernel\CLML_NTService\CLMLServer[Caution: ExecutableFile] O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT[Caution: ExecutableFile] O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1[Caution: ExecutableFile] O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile] O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor[Caution: ExecutableFile] O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE[Caution: ExecutableFile] O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc[Caution: ExecutableFile] O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12[Caution: ExecutableFile] O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan[Caution: ExecutableFile] O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile] O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc[Caution: ExecutableFile] O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc[Caution: ExecutableFile] Link to comment Share on other sites More sharing options...
coltm4carbine Posted January 8, 2007 Share Posted January 8, 2007 That's wierd...never heard of anyone complain about it before. From your latest log...pretty obvious norton does not do a good job. When did you last update your norton? Did you pay for it? I'll give you the fix bit by bit. Disable teatimer first. Open HJT and fix these: O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [winhost] C:\WINDOWS\winhost[Caution] O4 - HKLM\..\Run: [D_V_T] C:\\dvt[Caution] /S \C:\\d_v_t.reg\ Reboot your computer into safemode. Show hidden files/folders: Under the Hidden files and folders heading select "Show hidden files and folders". Uncheck the "Hide protected operating system files (recommended)" option. Uncheck the "Hide file extensions for known file types" option. Click Yes to confirm. Click OK. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files/folders (if present): C:\WINDOWS\winhost[Caution] C:\\dvt Reboot and try the online scans again. Link to comment Share on other sites More sharing options...
niligo Posted January 8, 2007 Author Share Posted January 8, 2007 I updated like a week ago, then our subscription ran out and my mom doesn't want to pay to renew it. So yes Norton is legal on my comp. Going to reboot now... EDIT: Files are deleted, and can't find them after reboot in non-safe mode so that means we cleaned the file? \ Link to comment Share on other sites More sharing options...
coltm4carbine Posted January 8, 2007 Share Posted January 8, 2007 Uninstall norton and get AVG free edition. See if it picks the rest up. HJT is not a standalone tool and will not show everything. Download AVG Anti-Spyware from ]HERE and save that file to your desktop. This is a 30 day trial of the program [*:3d6tag5k]Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program. [*:3d6tag5k]Once the setup is complete you will need run AVG Anti-Spyware and update the definition files. [*:3d6tag5k]On the main screen select the icon "Update" then select the "Update now" link. [*:3d6tag5k]Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed. [*:3d6tag5k]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. [*:3d6tag5k]Once in the Settings screen click on "Recommended actions" and then select "Quarantine". [*:3d6tag5k]Under "Reports" [*:3d6tag5k]Select "Automatically generate report after every scan" [*:3d6tag5k]Un-Select "Only if threats were found"Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly. [*:3d6tag5k]Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter. IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess: [*:3d6tag5k]Lauch AVG Anti-Spyware by double-clicking the icon on your desktop. [*:3d6tag5k]Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". [*:3d6tag5k]AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following: [*:3d6tag5k]If you have any infections you will prompted, then select "Apply all actions" [*:3d6tag5k]Next select the "Reports" icon at the top. [*:3d6tag5k]Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important). [*:3d6tag5k]Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan. Then see if the online scans work. Link to comment Share on other sites More sharing options...
niligo Posted January 8, 2007 Author Share Posted January 8, 2007 Are you sure I should uninstall norton? Won't I lose my definitions if I reinstall it after scanning with avg? or what antivirus can you recommend me? Link to comment Share on other sites More sharing options...
coltm4carbine Posted January 8, 2007 Share Posted January 8, 2007 Well, what's the point of an antivirus that won't update?? Unless you've paid for it, and are getting updates...there's no point. The AVGAS I've told you to download is a trial anyway. It'll pick up the rest of the crap. For a free antivirus check out the stickies then choose what you want. It's up to you. (EG IMO Norton sucks but to some people it's good) Link to comment Share on other sites More sharing options...
niligo Posted January 9, 2007 Author Share Posted January 9, 2007 Did that and it found some more viruses but it didn't leave a log :s After that I scanned again 0 viruses found and then it did leave a log, strange. Anyway, I think I'm safe for now, haven't seen anything bad since scan so yeah. And I really thank you for your time! If there's anything I can do back just tell : Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now