Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

secure32.html - cannot remove things with killbox


  • Please log in to reply

#1
jahija77

jahija77

    Member

  • Member
  • PipPip
  • 13 posts
Help! I tried to follow steps given here to get rid of this trojan. I run Norton Antivirus, MksVir, Panda Online and AdAware on my computer but some of the stuff was left and I still cannot change my homepage from c:\secure32.html. Here's my Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 17:31:28, on 2007-01-16
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Grot\USTAWI~1\Temp\Katalog tymczasowy 2 dla hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Grot\Pulpit\KillBox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {C37CC97A-2AB1-0730-99AB-2050A0F129CE} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36EC6C8E-D140-A9C9-3723-886A62D5DBCB} - C:\WINDOWS\system32\dxjaaytd.dll (file missing)
O2 - BHO: (no name) - {B50D0710-EE89-9705-F3B9-E12C866B5E94} - C:\WINDOWS\system32\srnms.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C37CC97A-2AB1-0730-99AB-2050A0F129CE} - (no file)
O3 - Toolbar: (no name) - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [c9c35389.exe] C:\WINDOWS\system32\c9c35389.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels1118.exe
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aooa] "C:\DOCUME~1\Grot\DANEAP~1\APPATC~1\rundll32.exe" -vt yax
O4 - HKCU\..\Run: [Dygjxa] C:\Program Files\Common Files\?ystem\??rvices.exe
O4 - HKCU\..\Run: [MailScanner] C:\Program Files\MKS_VIR_2006\Mks_mail.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135426657640
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.p...kanerOnline.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123
O20 - AppInit_DLLs:
O20 - Winlogon Notify: winexz32 - winexz32.dll (file missing)
O21 - SSODL: emptins - {588599f4-de26-4c28-ba14-f4eb17e33481} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOINC - Unknown owner - C:\Program Files\BOINC\boinc.exe" -daemon (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

I know there are some things I should remove on reboot using killbox, but when I copy their paths to killbox and hit "delete" I get a message saying "PendingFileRenameOperations Registry Data has been Removed by External Process!" and I can't do anything about it. Can somebody help??? Pleeease.
  • 0

Advertisements


#2
M4_Fanatic

M4_Fanatic

    Member

  • Member
  • PipPipPip
  • 282 posts
Hello jahija77 and welcome to Geekstogo.

My name is M4_Fanatic and I will be helping you with your problem.
As I am still in training I will be helping you under supervision of our expert teachers,so there may be a delay between posts.

I will be back with you as soon as possible.
  • 0

#3
jahija77

jahija77

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Great to hear someone can help :whistling:)))
  • 0

#4
M4_Fanatic

M4_Fanatic

    Member

  • Member
  • PipPipPip
  • 282 posts
Hello again :whistling:,

=====
Step 1
=====

You are currently using HijackThis from a temporary directory, this can cause problems.
HijackThis creates backups, these are needed in case of any recovery issues.
Please create a directory on your C:\ drive called C:\HJT, download and unzip HijackThis into that directory. Run the program from that directory from now on.

STEPS For Creating Folder
1. Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder HJT.

2. Move HijackThis to the new folder:

3. Close ALL windows except HJT

4. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

5. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')
Please make sure you post the entire log including the top portion:

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

=====
Step 2
=====

Download haxfix.exe
and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
  • Copy the contents of that logfile and paste it into this thread.
====
Step 3
====
Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

In your next post I will be looking for the following:
  • A New HiJackthis Log
  • Haxfix.txt
  • Smitfraudfix report
  • Uninstall list

  • 0

#5
jahija77

jahija77

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ok, I did what you said and here are the 4 things you told me to paste:

1 New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 13:07:20, on 2007-01-17
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {C37CC97A-2AB1-0730-99AB-2050A0F129CE} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36EC6C8E-D140-A9C9-3723-886A62D5DBCB} - C:\WINDOWS\system32\dxjaaytd.dll (file missing)
O2 - BHO: (no name) - {B50D0710-EE89-9705-F3B9-E12C866B5E94} - C:\WINDOWS\system32\srnms.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C37CC97A-2AB1-0730-99AB-2050A0F129CE} - (no file)
O3 - Toolbar: (no name) - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [c9c35389.exe] C:\WINDOWS\system32\c9c35389.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels1118.exe
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aooa] "C:\DOCUME~1\Grot\DANEAP~1\APPATC~1\rundll32.exe" -vt yax
O4 - HKCU\..\Run: [Dygjxa] C:\Program Files\Common Files\?ystem\??rvices.exe
O4 - HKCU\..\Run: [MailScanner] C:\Program Files\MKS_VIR_2006\Mks_mail.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135426657640
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.p...kanerOnline.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123
O20 - AppInit_DLLs:
O20 - Winlogon Notify: winexz32 - winexz32.dll (file missing)
O21 - SSODL: emptins - {588599f4-de26-4c28-ba14-f4eb17e33481} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOINC - Unknown owner - C:\Program Files\BOINC\boinc.exe" -daemon (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

2 Haxlog.txt

HAXFIX logfile - by Marckie

version 4.361
2007-01-17 13:27:39,75

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
no matching services found

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---


checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected


Finished!

3. SmitfraudFix rapport

SmitFraudFix v2.132

Scan done at 13:21:34,85, 2007-01-17
Run from C:\Documents and Settings\Grot\Pulpit\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Grot


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Grot\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\MENUST~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\MENUST~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Grot\Ulubione


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Moja bieľĄca strona gˆ˘wna"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{588599f4-de26-4c28-ba14-f4eb17e33481}"="emptins"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" "


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

pe386 detected, use a Rootkit scanner

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

4. Uninstal list


"SubEdit-Player"
AC3Filter (remove only)
Acoustica MP3 Audio Mixer
Ad-Aware SE Personal
Adobe Reader 7.0 - Polish
Aktualizacja dla systemu Windows XP (KB894391)
Aktualizacja dla systemu Windows XP (KB898461)
Aktualizacja dla systemu Windows XP (KB900485)
Aktualizacja dla systemu Windows XP (KB900930)
Aktualizacja dla systemu Windows XP (KB910437)
Aktualizacja dla systemu Windows XP (KB916595)
Aktualizacja dla systemu Windows XP (KB920872)
Aktualizacja dla systemu Windows XP (KB922582)
Aktualizacja zabezpieczeń dla programu Windows Media Player (KB911564)
Aktualizacja zabezpieczeń dla programu Windows Media Player 6.4 (KB925398)
Aktualizacja zabezpieczeń dla programu Windows Media Player 9 (KB911565)
Aktualizacja zabezpieczeń dla programu Windows Media Player 9 (KB917734)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB890046)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB893066)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB893756)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB896358)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB896422)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB896423)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB896424)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB896428)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB899587)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB899589)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB899591)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB900725)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB901017)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB901214)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB902400)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB904706)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB905414)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB905749)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB905915)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB908519)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB908531)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB911280)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB911562)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB911567)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB911927)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB912812)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB912919)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB913446)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB913580)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB914388)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB914389)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB916281)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB917159)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB917344)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB917422)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB917953)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB918439)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB918899)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB919007)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB920213)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB920214)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB920670)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB920683)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB920685)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB921398)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB921883)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB922616)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB922760)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB922819)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB923191)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB923414)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB923694)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB923980)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB924191)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB924270)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB924496)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB925454)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB925486)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB926255)
Aktualizacja zabezpieczeń dla systemu Windows XP (KB929969)
Aktualizacja zabezpieczeń dla Windows XP (KB923689)
Archiwizator WinRAR
ATI Control Panel
ATI Display Driver
Avanquest update
Ballance
Black and White
BOINC
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Cowabanga by OIN
Creative Jukebox Driver
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen Micro
Cubis Gold 2
DC++ 0.674
DivX
DivX Player
Gadu-Gadu 7.0
GoldWave v5.10
Hardware sensors monitor 4.2
Hidden Expedition Titanic
HijackThis 1.99.1
HP Deskjet 3840
HP Software Update
Kyodai
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Flash Player 8
Microsoft .NET Framework 2.0
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Motorola Phone Tools
MSI Live Update 3
MSXML 4.0 SP2 (KB927978)
Myst Masterpiece Edition
Mystery Case Files - Ravenhearst (remove only)
Mystery Case Files Prime Suspects
Narzędzie Software Uninstall Utility firmy ATI
Nero - Burning Rom
Norton AntiVirus 2003 Professional Edition
NVIDIA nForce Drivers
Pakiet podstawowego dostawcy usług kryptograficznych kart inteligentnych Microsoft
PITy 2005 dla Windows kompilacja:1.0.1.56
Poprawka Security Update dla produktu Microsoft .NET Framework 2.0 (KB917283)
Poprawka systemu Windows XP - KB873339
Poprawka systemu Windows XP - KB885250
Poprawka systemu Windows XP - KB885835
Poprawka systemu Windows XP - KB885836
Poprawka systemu Windows XP - KB886185
Poprawka systemu Windows XP - KB887472
Poprawka systemu Windows XP - KB887742
Poprawka systemu Windows XP - KB887797
Poprawka systemu Windows XP - KB888113
Poprawka systemu Windows XP - KB888302
Poprawka systemu Windows XP - KB890859
Poprawka systemu Windows XP - KB891781
PowerDVD
Public Messenger ver 2.03
PuTTY version 0.58
QuickTime
Rozszerzenie HighMAT do Kreatora zapisywania dysku CD w systemie Microsoft Windows XP
Sandlot Games Client Services
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Settlers IV - Złota Edycja
Spin & Play (remove only)
Total Commander (Remove or Repair)
Tradewinds 2
Travelogue 360 Paris (remove only)
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Yazzle by OIN
YazzleActiveX By OIN


Hope I've done everything right this time
  • 0

#6
M4_Fanatic

M4_Fanatic

    Member

  • Member
  • PipPipPip
  • 282 posts
====
Step 1
====
Download Rustbfix from one of these locations:
http://www.uploads.e...et/rustbfix.exe
http://uploads.ejvin...om/Rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.

=====
Step 2
=====
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
  • 0

#7
jahija77

jahija77

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ok, here are the things from step 1:

The 2 logfiles:

************************* Rustock.b-fix -- By ejvindh *************************
2007-01-18 14:43:51,25

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 70816
Total size: 70816 bytes.
Attempting to remove ADS...
system32: deleted 70816 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************

_________________________________________________________________________________________

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ypckplkk

*******************

Script file located at: \??\C:\Documents and Settings\hycucmws.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.


And a new HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 15:02:18, on 2007-01-18
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {C37CC97A-2AB1-0730-99AB-2050A0F129CE} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36EC6C8E-D140-A9C9-3723-886A62D5DBCB} - C:\WINDOWS\system32\dxjaaytd.dll (file missing)
O2 - BHO: (no name) - {B50D0710-EE89-9705-F3B9-E12C866B5E94} - C:\WINDOWS\system32\srnms.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C37CC97A-2AB1-0730-99AB-2050A0F129CE} - (no file)
O3 - Toolbar: (no name) - {96ebbe6a-2864-4345-b32b-26ee9be524b5} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [c9c35389.exe] C:\WINDOWS\system32\c9c35389.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels1118.exe
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aooa] "C:\DOCUME~1\Grot\DANEAP~1\APPATC~1\rundll32.exe" -vt yax
O4 - HKCU\..\Run: [Dygjxa] C:\Program Files\Common Files\?ystem\??rvices.exe
O4 - HKCU\..\Run: [MailScanner] C:\Program Files\MKS_VIR_2006\Mks_mail.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135426657640
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.p...kanerOnline.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123
O20 - AppInit_DLLs:
O20 - Winlogon Notify: winexz32 - winexz32.dll (file missing)
O21 - SSODL: emptins - {588599f4-de26-4c28-ba14-f4eb17e33481} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOINC - Unknown owner - C:\Program Files\BOINC\boinc.exe" -daemon (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


I'm now on to step 2 :whistling:
  • 0

#8
jahija77

jahija77

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
And I have another problem: I can't access the Safe mode because I can't choose it at startup. When I press F8 I get a "Boot Menu" and I am told to select a Boot First drive from these options: Floppy, HDD-0, CDROM, HDD-1, LAN. That's all there is and none of them lead to the safe mode. So now I'm confused :/
  • 0

#9
M4_Fanatic

M4_Fanatic

    Member

  • Member
  • PipPipPip
  • 282 posts
Hello, sorry for the delay.

When you see that option please can you select hdd-0 and press F8 after you have selected that option to get into safemode.

Then please continue with my previous instructions that you should of saved or printed off.
  • 0

#10
jahija77

jahija77

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks ever so much. It was a stupid problem to have but...
still it was a problem. I did what you said and everything is fine now.
here's a new HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 03:55:22, on 2007-01-20
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {C37CC97A-2AB1-0730-99AB-2050A0F129CE} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36EC6C8E-D140-A9C9-3723-886A62D5DBCB} - C:\WINDOWS\system32\dxjaaytd.dll (file missing)
O2 - BHO: (no name) - {B50D0710-EE89-9705-F3B9-E12C866B5E94} - C:\WINDOWS\system32\srnms.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C37CC97A-2AB1-0730-99AB-2050A0F129CE} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [c9c35389.exe] C:\WINDOWS\system32\c9c35389.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aooa] "C:\DOCUME~1\Grot\DANEAP~1\APPATC~1\rundll32.exe" -vt yax
O4 - HKCU\..\Run: [Dygjxa] C:\Program Files\Common Files\?ystem\??rvices.exe
O4 - HKCU\..\Run: [MailScanner] C:\Program Files\MKS_VIR_2006\Mks_mail.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135426657640
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.p...kanerOnline.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123
O20 - AppInit_DLLs:
O20 - Winlogon Notify: winexz32 - winexz32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOINC - Unknown owner - C:\Program Files\BOINC\boinc.exe" -daemon (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

... and it's all clean :whistling:))))))))))

I am ever so gratefull. It's a shame that you're far away because I owe you a big time.
  • 0

Advertisements


#11
M4_Fanatic

M4_Fanatic

    Member

  • Member
  • PipPipPip
  • 282 posts
Hi,

Please print out or copy these instructions/tutorial to Notepad as the internet will not be available to you at certain points of the removal process (while in Safe Mode). Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

1. Download ComboFix.exe using either of these links:

BleepingComputer

Techsupportforum.com

2. Double click on combofix.exe & follow the prompts to allow the tool to run.

3. When it has finished, it will produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: (no name) - {C37CC97A-2AB1-0730-99AB-2050A0F129CE} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {36EC6C8E-D140-A9C9-3723-886A62D5DBCB} - C:\WINDOWS\system32\dxjaaytd.dll (file missing)
O2 - BHO: (no name) - {B50D0710-EE89-9705-F3B9-E12C866B5E94} - C:\WINDOWS\system32\srnms.dll (file missing)
O2 - BHO: (no name) - {C37CC97A-2AB1-0730-99AB-2050A0F129CE} - (no file)
O4 - HKLM\..\Run: [c9c35389.exe] C:\WINDOWS\system32\c9c35389.exe
O4 - HKCU\..\Run: [Aooa] "C:\DOCUME~1\Grot\DANEAP~1\APPATC~1\rundll32.exe" -vt yax
O4 - HKCU\..\Run: [Dygjxa] C:\Program Files\Common Files\?ystem\??rvices.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123
O20 - AppInit_DLLs:
O20 - Winlogon Notify: winexz32 - winexz32.dll (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):


Cowabanga by OIN
Yazzle by OIN
YazzleActiveX By OIN


Please note any other programs that you dont recognize in that list in your next response

Show hidden files/folders:
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\dxjaaytd.dll
C:\WINDOWS\system32\srnms.dll
C:\WINDOWS\system32\c9c35389.exe
C:\Documents and Settings\Grot\DANEAP~1\APPATC~1\rundll32.exe
C:\WINDOWS\system32\msasvc.exe
winexz32.dll <<<you will need to use the windows xp search function to find this file (Start -> search).

After that, Reboot and post a new HJT log.
  • 0

#12
jahija77

jahija77

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi.
So, I guess I was wrong and it not all fine :whistling:

Here's the Combofix log:

"Grot" - 07-01-21 18:07:12 Dodatek Service Pack 2
ComboFix 07-01-21 - Running from: "C:\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\Grot
C:\qoobox\purity\DOCUME~1\Grot\Dane aplikacji
C:\qoobox\purity\DOCUME~1\Grot\Moje dokumenty
C:\qoobox\purity\DOCUME~1\Grot\Dane aplikacji\APPATC~1
C:\qoobox\purity\DOCUME~1\Grot\Dane aplikacji\CURITY~1
C:\qoobox\purity\DOCUME~1\Grot\Dane aplikacji\DOBE~1
C:\qoobox\purity\DOCUME~1\Grot\Dane aplikacji\from.txt
C:\qoobox\purity\DOCUME~1\Grot\Dane aplikacji\PPATCH~1
C:\qoobox\purity\DOCUME~1\Grot\Dane aplikacji\PPATCH~2
C:\qoobox\purity\DOCUME~1\Grot\Dane aplikacji\SKS~1
C:\qoobox\purity\DOCUME~1\Grot\Dane aplikacji\SKS~2
C:\qoobox\purity\DOCUME~1\Grot\Dane aplikacji\TSKS~1
C:\qoobox\purity\DOCUME~1\Grot\Dane aplikacji\APPATC~1\APPATC~1
C:\qoobox\purity\DOCUME~1\Grot\Moje dokumenty\ASEMBL~1
C:\qoobox\purity\DOCUME~1\Grot\Moje dokumenty\ASKS~1
C:\qoobox\purity\DOCUME~1\Grot\Moje dokumenty\CURITY~1
C:\qoobox\purity\DOCUME~1\Grot\Moje dokumenty\DOBE~1
C:\qoobox\purity\DOCUME~1\Grot\Moje dokumenty\FNTS~1
C:\qoobox\purity\DOCUME~1\Grot\Moje dokumenty\from.txt
C:\qoobox\purity\DOCUME~1\Grot\Moje dokumenty\ICROSO~1.NET
C:\qoobox\purity\DOCUME~1\Grot\Moje dokumenty\PPPATC~1
C:\qoobox\purity\DOCUME~1\Grot\Moje dokumenty\SKS~1
C:\qoobox\purity\DOCUME~1\Grot\Moje dokumenty\STEM~1
C:\qoobox\purity\DOCUME~1\Grot\Moje dokumenty\WNSXS~1
C:\qoobox\purity\DOCUME~1\Grot\Moje dokumenty\YSTEM~1
C:\qoobox\purity\Program Files\ASKS~1
C:\qoobox\purity\Program Files\CROSOF~1
C:\qoobox\purity\Program Files\DOBE~1
C:\qoobox\purity\Program Files\PPPATC~1
C:\qoobox\purity\Program Files\Common Files\ASEMBL~1
C:\qoobox\purity\Program Files\Common Files\ECURIT~1
C:\qoobox\purity\Program Files\Common Files\ICROSO~1
C:\qoobox\purity\Program Files\Common Files\PPATCH~1
C:\qoobox\purity\Program Files\Common Files\SEMBLY~1
C:\qoobox\purity\Program Files\Common Files\SSTEM3~1
C:\qoobox\purity\Program Files\Common Files\SSTEM~1
C:\qoobox\purity\Program Files\Common Files\YSTEM~1
C:\qoobox\purity\WINDOWS\ASKS~1
C:\qoobox\purity\WINDOWS\DOBE~1
C:\qoobox\purity\WINDOWS\SMANTE~1
C:\qoobox\purity\WINDOWS\WNSXS~1
C:\qoobox\purity\WINDOWS\YMBOLS~1
C:\qoobox\purity\WINDOWS\YSTEM3~1
C:\qoobox\purity\WINDOWS\system32\ASKS~1
C:\qoobox\purity\WINDOWS\system32\CROSOF~1
C:\qoobox\purity\WINDOWS\system32\CROSOF~1.NET
C:\qoobox\purity\WINDOWS\system32\DOBE~1
C:\qoobox\purity\WINDOWS\system32\ECURIT~1
C:\qoobox\purity\WINDOWS\system32\ICROSO~1.NET
C:\qoobox\purity\WINDOWS\system32\RACLE~1
C:\qoobox\purity\WINDOWS\system32\SCURIT~1
C:\qoobox\purity\WINDOWS\system32\SMANTE~1
C:\qoobox\purity\WINDOWS\system32\SMBOLS~1
C:\qoobox\purity\WINDOWS\system32\SSTEM3~1
C:\qoobox\purity\WINDOWS\system32\SSTEM~1
C:\qoobox\purity\WINDOWS\system32\WNSXS~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-21 to 2007-01-21 ))))))))))))))))))))))))))))))))))


2007-01-21 05:18 849,830 --a------ C:\combofix.exe
2007-01-18 14:46 <DIR> d-------- C:\avenger
2007-01-18 14:43 <DIR> d-------- C:\Rustbfix
2007-01-17 13:21 3,048 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-17 13:12 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2007-01-17 13:12 8,234 --a------ C:\clean.bat
2007-01-17 13:12 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-01-17 13:12 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2007-01-17 13:00 <DIR> d-------- C:\HJT
2007-01-16 16:56 <DIR> d-------- C:\!KillBox
2007-01-16 11:44 <DIR> d-------- C:\Program Files\SymNetDrv
2007-01-16 11:39 34,578 --a------ C:\WINDOWS\system32\drivers\NPDRIVER.SYS
2007-01-16 11:38 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-01-16 11:38 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-01-16 11:11 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-01-15 19:35 <DIR> d--h----- C:\WINDOWS\PIF
2007-01-15 16:11 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\Dane aplikacji\TEMP
2007-01-15 14:50 <DIR> d-------- C:\Program Files\Oberon Media
2007-01-14 19:02 <DIR> d-------- C:\DOCUME~1\Grot\Dane aplikacji\iWin
2007-01-10 18:02 <DIR> d-------- C:\Program Files\QuickTime
2007-01-10 18:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Dane aplikacji\Apple Computer


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-21 18:08 -------- d-------- C:\Program Files\boinc
2007-01-16 12:12 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-16 11:44 -------- d-------- C:\Program Files\symantec
2007-01-16 11:42 -------- d-------- C:\Program Files\norton antivirus
2007-01-16 11:09 -------- d-------- C:\Program Files\dc++
2007-01-15 19:46 -------- d-------- C:\Program Files\gaqme jackal
2007-01-15 19:45 1890 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-01-10 18:04 -------- d--h----- C:\Program Files\installshield installation information
2007-01-02 17:00 -------- d-------- C:\Program Files\gamehouse
2006-12-11 16:46 -------- d-------- C:\DOCUME~1\Grot\Dane aplikacji\playfirst
2006-12-08 13:36 11648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-12-07 06:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-04 02:37 -------- d-------- C:\DOCUME~1\Grot\Dane aplikacji\mks_vir
2006-11-30 05:06 2 --a------ C:\WINDOWS\system32\wintsvtr.exe
2006-11-27 14:00 707360 --a------ C:\WINDOWS\system32\skaneronline.dll
2006-11-27 14:00 69920 --a------ C:\WINDOWS\system32\skaneronlineuninstall.exe
2006-11-08 06:07 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-30 19:09 5 --a------ C:\WINDOWS\armta.dll
2006-10-30 18:19 90112 --a------ C:\WINDOWS\system32\agsaami.dll
2006-10-30 18:19 610304 --a------ C:\WINDOWS\system32\agsaamg.dll
2006-10-30 18:19 372736 --a------ C:\WINDOWS\system32\agsaamc.dll
2006-10-30 18:19 2535424 --a------ C:\WINDOWS\system32\agsaamj.dll
2006-10-30 18:19 21 --a------ C:\WINDOWS\system32\winitn.dll
2006-10-30 18:19 1986560 --a------ C:\WINDOWS\system32\akll.dll
2006-10-30 18:19 196608 --a------ C:\WINDOWS\system32\maag.dll
2006-10-30 18:19 1245184 --a------ C:\WINDOWS\system32\bkll.dll
2006-10-30 18:19 1212416 --a------ C:\WINDOWS\system32\ckll.dll
2006-10-30 17:59 79360 --a------ C:\WINDOWS\system32\realmrec.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Gadu-Gadu"="\"C:\\Program Files\\Gadu-Gadu\\gg.exe\" /tray"
"Creative Detector"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"MailScanner"="C:\\Program Files\\MKS_VIR_2006\\Mks_mail.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"LiveMonitor"="C:\\Program Files\\MSI\\Live Update 3\\LMonitor.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"NeroCheck"="C:\\WINDOWS\\system32\\\\NeroCheck.exe"
"NWEReboot"=""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"Advanced Tools Check"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2e09d814-9c21-11db-9dd4-806d6172696f}]
Shell\AutoRun\command H:\Autorun.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 07-01-21 18:08:50
C:\ComboFix2.txt ... 07-01-21 05:25


And a HJT log after fixing the listed entries:

Logfile of HijackThis v1.99.1
Scan saved at 18:12:03, on 2007-01-21
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MailScanner] C:\Program Files\MKS_VIR_2006\Mks_mail.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135426657640
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.p...kanerOnline.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOINC - Unknown owner - C:\Program Files\BOINC\boinc.exe" -daemon (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

#13
jahija77

jahija77

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I only found a part of the things to delete in safe mode. But I found one programme in the control panel that I don't know: MSXML 4.0 SP2(KB927978).
  • 0

#14
jahija77

jahija77

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
And here is the last HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 18:54:55, on 2007-01-21
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MailScanner] C:\Program Files\MKS_VIR_2006\Mks_mail.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135426657640
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.p...kanerOnline.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOINC - Unknown owner - C:\Program Files\BOINC\boinc.exe" -daemon (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

#15
M4_Fanatic

M4_Fanatic

    Member

  • Member
  • PipPipPip
  • 282 posts
Hello,

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Go to Start | Run and type this in the box: services.msc
  • Locate these services, 'Microsoft authenticate service' then right click and select properties.
  • Under Service Status: select Stop
  • In the drop down box labeled, Startup Type: select Disabled
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
In your next reply I'll be looking for the following:
  • A new HJT log
  • AVG antispyware report

Edited by M4_Fanatic, 21 January 2007 - 01:07 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP