Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

pc infected

Started by toufik , Feb 25 2005 06:31 AM

  • Please log in to reply

#1
toufik
Posted 25 February 2005 - 06:31 AM

toufik

    New Member

  • Member
  • Pip
  • 6 posts
hi, my pc is infected with many malware i have the following problesm :
- an istsvc file thaht always here whene i deleted.
- many popus like ( sherch result for...., find a...at....)
- always hang up demand.
- my connection is slow and i believe that is related to an infection.
- the item 04 of my hijacjthis log always here when i fixed it, and i don't have mcaffe, navprotect, rant ...etc in my pc !!!)
- when i run a software a message related to an autoexec.NT. is apear and i can not run.

please help me.

this is my hijackthis log :

Logfile of HijackThis v1.99.0
Scan saved at 13:27:28, on 25/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\netdde.exe
D:\WINDOWS\system32\cisvc.exe
D:\WINDOWS\System32\imapi.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\vssvc.exe
D:\WINDOWS\System32\wbem\wmiapsrv.exe
D:\WINDOWS\System32\dmadmin.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\rant.exe
D:\WINDOWS\qniqtso.exe
D:\Program Files\ISTsvc\istsvc.exe
D:\WINDOWS\nvsvca32.exe
D:\WINDOWS\msexploren.exe
D:\WINDOWS\System32\navprotect.exe
D:\WINDOWS\System32\lah.exe
D:\WINDOWS\System32\mcafee32.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\system32\cidaemon.exe
D:\WINDOWS\System32\navprot32.exe
D:\Documents and Settings\Benteboula Toufik\Bureau\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1030
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;cgi*.ebay.com;disney.go.com;msa_e1.ebay.com;rhapsody_app*.listen.com;<local>
O4 - HKLM\..\Run: [Norton AutoProtect] navprot32.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\Run: [Norton Personal Firewall] lah.exe
O4 - HKLM\..\Run: [rant] rant.exe
O4 - HKLM\..\Run: [antiware] D:\windows\system32\elitedez32.exe
O4 - HKLM\..\Run: [×jœS˜‰ØUÑñT»óonÄ;D:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\qniqtso.exe
O4 - HKLM\..\Run: [McAfee Windows Protection] mcafee32.exe
O4 - HKLM\..\Run: [IST Service] D:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [nvsvca32] D:\WINDOWS\nvsvca32.exe
O4 - HKLM\..\Run: [SvcH0st] D:\WINDOWS\msexploren.exe /i
O4 - HKLM\..\RunServices: [Norton Personal Firewall] lah.exe
O4 - HKLM\..\RunServices: [Norton AutoProtect] navprot32.exe
O4 - HKLM\..\RunServices: [rant] rant.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [McAfee Windows Protection] mcafee32.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [Norton Personal Firewall] lah.exe
O4 - HKCU\..\Run: [Norton AutoProtect] navprot32.exe
O4 - HKCU\..\Run: [rant] rant.exe
O4 - HKCU\..\Run: [McAfee Windows Protection] mcafee32.exe
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{A760F5A3-BB80-4D42-862C-AB65B3D2B149}: NameServer = 81.22.91.164 81.22.90.29
O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - D:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements - Unknown - D:\WINDOWS\system32\services.exe
O23 - Service: Service COM de gravage de CD IMAPI - Unknown - D:\WINDOWS\System32\imapi.exe
O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - D:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: DDE réseau - Unknown - D:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM DDE réseau - Unknown - D:\WINDOWS\system32\netdde.exe
O23 - Service: Plug-and-Play - Unknown - D:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance - Unknown - D:\WINDOWS\system32\sessmgr.exe
O23 - Service: Prise en charge des cartes à puces - Unknown - D:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Carte à puce - Unknown - D:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Journaux et alertes de performance - Unknown - D:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume - Unknown - D:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI - Unknown - D:\WINDOWS\System32\wbem\wmiapsrv.exe
O23 - Service: Network Security Service (NSS) - Unknown - D:\WINDOWS\javaqr.exe (file missing)
  • 0

Advertisements

#2
-=jonnyrotten=-
Posted 25 February 2005 - 02:48 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). Be sure you're able to view hidden
files.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1030
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;cgi*.ebay.com;disney.go.com;msa_e1.ebay.com;rhapsody_app*.listen.com;<local>
O4 - HKLM\..\Run: [Norton AutoProtect] navprot32.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\Run: [Norton Personal Firewall] lah.exe
O4 - HKLM\..\Run: [rant] rant.exe
O4 - HKLM\..\Run: [antiware] D:\windows\system32\elitedez32.exe
O4 - HKLM\..\Run: [×jœS˜‰ØUÑñT»óonÄ;D:\Program Files\ISTsvc\istsvc.exe] D:\WINDOWS\qniqtso.exe
O4 - HKLM\..\Run: [McAfee Windows Protection] mcafee32.exe
O4 - HKLM\..\Run: [IST Service] D:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [nvsvca32] D:\WINDOWS\nvsvca32.exe
O4 - HKLM\..\Run: [SvcH0st] D:\WINDOWS\msexploren.exe /i
O4 - HKLM\..\RunServices: [Norton Personal Firewall] lah.exe
O4 - HKLM\..\RunServices: [Norton AutoProtect] navprot32.exe
O4 - HKLM\..\RunServices: [rant] rant.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [McAfee Windows Protection] mcafee32.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [Norton Personal Firewall] lah.exe
O4 - HKCU\..\Run: [Norton AutoProtect] navprot32.exe
O4 - HKCU\..\Run: [rant] rant.exe
O4 - HKCU\..\Run: [McAfee Windows Protection] mcafee32.exe
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O23 - Service: Network Security Service (NSS) - Unknown - D:\WINDOWS\javaqr.exe (file missing)

Remove the following files in bold (if found):

D:\WINDOWS\System32\rant.exe
D:\WINDOWS\qniqtso.exe
D:\Program Files\ISTsvc
D:\WINDOWS\nvsvca32.exe
D:\WINDOWS\msexploren.exe
D:\WINDOWS\System32\navprotect.exe
D:\WINDOWS\System32\lah.exe
D:\WINDOWS\System32\mcafee32.exe
D:\WINDOWS\System32\navprot32.exe
D:\windows\system32\elitedez32.exe
D:\WINDOWS\msexploren.exe
D:\Program Files\FlashGet
D:\WINDOWS\javaqr.exe

Copy and paste the quoted text below into a new notepad document. Now "Save As" export.bat, and change the "Save as Type" to "All Files" and save the file to your desktop. Now double click the file, it will open a notepad file with some text in it. Copy and paste the content of the file back here:

cd\
regedit /e HKCURun.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
regedit /e HKLMRun.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"


copy HKLMRun.txt + HKCURun.txt = Output.txt
notepad Output.txt


Reboot and post a new Log.

-=jonnyrotten=- :tazz:
  • 0

#3
toufik
Posted 26 February 2005 - 12:32 PM

toufik

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ook, thank you for the reply !!!
i done all what you say but i didn't find :
d:\windows\qniqsto.exe
d:\windows\javaqr.exe

my system seems to be clear !!! this is my new hijackthis log :

Logfile of HijackThis v1.99.0
Scan saved at 19:26:03, on 26/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\netdde.exe
D:\WINDOWS\system32\cisvc.exe
D:\WINDOWS\System32\imapi.exe
D:\WINDOWS\system32\sessmgr.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\vssvc.exe
D:\WINDOWS\System32\wbem\wmiapsrv.exe
D:\WINDOWS\System32\dmadmin.exe
D:\WINDOWS\Explorer.EXE
D:\HTJ\hijackthis\HijackThis.exe

O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - D:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements - Unknown - D:\WINDOWS\system32\services.exe
O23 - Service: Service COM de gravage de CD IMAPI - Unknown - D:\WINDOWS\System32\imapi.exe
O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - D:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: DDE réseau - Unknown - D:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM DDE réseau - Unknown - D:\WINDOWS\system32\netdde.exe
O23 - Service: Plug-and-Play - Unknown - D:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance - Unknown - D:\WINDOWS\system32\sessmgr.exe
O23 - Service: Prise en charge des cartes à puces - Unknown - D:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Carte à puce - Unknown - D:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Journaux et alertes de performance - Unknown - D:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume - Unknown - D:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI - Unknown - D:\WINDOWS\System32\wbem\wmiapsrv.exe


thanks to tell me if is it good !!!
best regards !!!
  • 0

#4
-=jonnyrotten=-
Posted 26 February 2005 - 12:45 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. ;)

-=jonnyrotten=- :thumbsup:
  • 0

#5
toufik
Posted 28 February 2005 - 12:51 PM

toufik

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
hi,

i download all the application you told me , but i steel have a little problem, please tell me where or how i can fixed it.

when i run an apllication a message with title " under 16 bit windows" appear and show this " d:\windows\system32\autoexec.nt. is not appropriate to ms dos 16 bit application and microsoft windows" and i can't run application i must close.

what this problem ?
is it a spyware infection wich infect autoexec.NT ?

help me ?

waiting , best regards !!
  • 0

#6
bdlt
Posted 28 February 2005 - 02:14 PM

bdlt

    Member

  • Member
  • PipPipPip
  • 876 posts
Here's something you might try for the autoexec.nt problem:

1. Insert the CD into the CD drive or DVD drive.
2. Click Start, and then click Run.
3. In the Open box, type cmd, and then click OK.
4. At the command prompt, type the following commands, pressing ENTER
after each command:

expand CD-ROM Drive Letter:\i386\config.nt_ c:\windows\system32\config.nt
expand CD-ROM Drive Letter:\i386\autoexec.nt_ c:\windows\system32\autoexec.nt
expand CD-ROM Drive Letter:\i386\command.co_ c:\windows\system32\command.com
exit
5. Start or install the program. If the issue is resolved, do not
complete the remaining steps. If the issue is not resolved, go to the next step.

steps 6 and on can be found at
http://support.micro...kb;en-us;324767

Some users had the autoexec.nt file damaged/removed after restarting the pc. The steps above will replace the files, but will not prevent damage or removal.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP