Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help cleaning up Computer


  • Please log in to reply

#1
adamsho1

adamsho1

    New Member

  • Member
  • Pip
  • 4 posts
Thanks in advance for any help you can provide. Here is my log from HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 9:33:08 PM, on 7/31/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\addcn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\crgh.exe
C:\Program Files\NetZero\exec.exe
C:\pilot\HOTSYNC.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {99D764FC-CDD7-00B8-618D-0880E43E5DFC} - C:\WINDOWS\winbn32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [netkz.exe] C:\WINDOWS\netkz.exe
O4 - HKLM\..\Run: [crgh.exe] C:\WINDOWS\crgh.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "smartfinder" "2"
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O4 - Global Startup: HotSync Manager 2.0.lnk = C:\pilot\HOTSYNC.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .WAV: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122818512199
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\addcn.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
Welcome to the Geeks To Go forum.:tazz:


Step 1

Download Killbox from here to your desktop.

Download and install About Buster 5.0 following the instructions here.
Update the program with the latest definitions and install the extra protection:
-- Firefox for surfing so that Internet Explorer can be kept closed until you're clean.
-- Spywareblaster to prevent future stealth installations of malware.
Do NOT scan with About Buster yet.

Download, install and setup Ewido Security Suite by following the instructions here.
Once updated, close the program without scanning.

Download Cleanup! from here.

Download CWSServicemove.zip from here and unzip it to your desktop. Don't do anything with it yet.

Ensure you're familiar with rebooting into Safe Mode.

Copy the below steps to notepad and save them to your desktop. Close Internet Explorer and disconnect from the internet.



Step 2

Run HJT again and checkmark the boxes next to the following:-


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {99D764FC-CDD7-00B8-618D-0880E43E5DFC} - C:\WINDOWS\winbn32.dll
O4 - HKLM\..\Run: [netkz.exe] C:\WINDOWS\netkz.exe
O4 - HKLM\..\Run: [crgh.exe] C:\WINDOWS\crgh.exe
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\addcn.exe



Close ALL OPEN WINDOWS/BROWSERS and click Fix Checked



Step 3

Reboot into Safe Mode.

Start About Buster
With ALL windows closed - VERY important!
Click on 'Begin Removal' to start the scan.
When the scan has finished let it scan again.
A log of the scan will appear in the folder.
Exit About Buster.

Then run CleanUp!.
Click the Cleanup Tab and let it remove all the Temporary files it finds.
Click Close when finished but decline to reboot when prompted.


Step 4

Double-click on KillBox.exe to launch the program.
Click on 'Delete on Reboot'.
Paste the line below into the top Full Path of File to Delete field.

C:\WINDOWS\winbn32.dll

Click on the 'End Explorer Shell While Killing File' checkbox.
Click on the 'Unregister .dll Before Deleting' checkbox (if not greyed out).
Click the 'Delete File' button which looks like a stop sign.
Click No at the Pending Operations prompt.

Repeat the above steps for each of the following lines:

C:\WINDOWS\netkz.exe
C:\WINDOWS\crgh.exe
C:\WINDOWS\addcn.exe


After you add the last file and it prompts to reboot, you should press the Yes button to allow it to do so.
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


As your machine starts to reboot, please start tapping F8 and go straight into Safe Mode - Very Important!!


Step 5

Now open Ewido Security Suite:

Click on Scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
Click Save report.
Save the report .txt file to your desktop.

Now close ewido security suite.


Step 6

Now double-click on the CWSServicemove.reg
Confirm you wish to add the contents to the registry when prompted and then reboot back to normal mode.


Step 7

Run an online virus scan at Trend Micro (Europe).

Reboot again when finished and post the following in THIS thread by clicking 'ADD Reply'.

1. New HijackThis log
2. About Buster scan log
3. Ewido scan log
4. Feedback on Trend Micro scan
  • 0

#3
adamsho1

adamsho1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Many thanks for your help. I think that this process cleaned up the computer. Going to give the computer back to my father and let him mess around a bit.

******

1. New HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 8:52:18 PM, on 8/1/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NetZero\exec.exe
C:\pilot\HOTSYNC.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {99D764FC-CDD7-00B8-618D-0880E43E5DFC} - C:\WINDOWS\winbn32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [netkz.exe] C:\WINDOWS\netkz.exe
O4 - HKLM\..\Run: [crgh.exe] C:\WINDOWS\crgh.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "smartfinder" "2"
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O4 - Global Startup: HotSync Manager 2.0.lnk = C:\pilot\HOTSYNC.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .WAV: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122818512199
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\addcn.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


2. About Buster scan log

AboutBuster 5.0 reference file 31
Scan started on [8/1/2005] at [8:28:07 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\BACKGRND.GIF:coghtq
Removed Stream! C:\WINDOWS\Black Thatch.bmp:upruot
Removed Stream! C:\WINDOWS\Blue Rivets.bmp:rtbuiq
Removed Stream! C:\WINDOWS\Bubbles.bmp:kutida
Removed Stream! C:\WINDOWS\CIJHBP.INI:zslnks
Removed Stream! C:\WINDOWS\dahotfix.log:vsyuim
Removed Stream! C:\WINDOWS\Default.sfc:nsqzkw
Removed Stream! C:\WINDOWS\DESKTOP1.SCR:glbeeh
Removed Stream! C:\WINDOWS\ocgen.log:xusosi
Removed Stream! C:\WINDOWS\ODBC.INI:ahwnvy
Removed Stream! C:\WINDOWS\progman.ini:txgrlp
Removed Stream! C:\WINDOWS\Q322913.log:erjkhc
Removed Stream! C:\WINDOWS\Q324096.log:wrcpbm
Removed Stream! C:\WINDOWS\Q326886.log:ppnmrg
Removed Stream! C:\WINDOWS\QDQICK.ini:aqrfob
Removed Stream! C:\WINDOWS\ubpjc.txt:scyavt
Removed Stream! C:\WINDOWS\winnt256.bmp:zzjjjd
Removed Stream! C:\WINDOWS\wmsetup.log:ryqwcn
Removed Stream! C:\WINDOWS\Zapotec.bmp:kamcfq
Removed Stream! C:\WINDOWS\~GLC0000.TMP:cbfhzb
------------------------------------------------
Removed File! : C:\Windows\kxjht.dat
------------------------------------------------
Scan was ABORTED at 8:28:13 PM


AboutBuster 5.0 reference file 31
Scan started on [8/1/2005] at [9:04:31 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\Windows\System32\evmve.dll
Removed File! : C:\Windows\System32\hnafm.dll
Removed File! : C:\Windows\System32\nkwew.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:06:35 PM


AboutBuster 5.0 reference file 31
Scan started on [8/1/2005] at [9:07:36 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:09:14 PM


3. Ewido scan log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:23:21 PM, 8/1/2005
+ Report-Checksum: 3EFBDB32

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{E1259401-E429-8855-B814-BD6EF247346C} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
C:\HijackThis\backups\backup-20050801-205627-998.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLER\NPROTECT\00000138.TXT -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00000248.TXT -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\RECYCLER\NPROTECT\00000396.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLER\NPROTECT\00000397.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\RECYCLER\NPROTECT\00000412.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\atlhx32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlnj32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\mfcjq32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\mfcne32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mszm.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\nethk.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\POWERPNT.INI:awnmrf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\QTW.INI:ygdmpi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sdkyv32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\apihv32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\atljt32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\crql32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SYSTEM32\netzu32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SYSTEM32\pctptt.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\systb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\vbaddin.ini:kcrgpd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\welcome.ini:efglkg -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winez32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup


::Report End

4. Feedback on Trend Micro scan

No problems found
  • 0

#4
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
we're not quite finished yet.


Click Start > Run > type services.msc, then click OK
Scroll down and right click on 'Network Security Service'
Select 'Properties' and set the "Service Status" option to "Stop"
Set "Startup type" to "Disabled", click Apply, then OK.


Rerun HJT,and put a checkmark beside these :-



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hnafm.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {99D764FC-CDD7-00B8-618D-0880E43E5DFC} - C:\WINDOWS\winbn32.dll
O4 - HKLM\..\Run: [netkz.exe] C:\WINDOWS\netkz.exe
O4 - HKLM\..\Run: [crgh.exe] C:\WINDOWS\crgh.exe
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\addcn.exe (file missing)

now close all windows and browsers and click FIX CHECKED


then reboot and post a fresh Hijackthis log.
  • 0

#5
adamsho1

adamsho1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Couldn't find an entry for Network Security Service in services.msc. Found the next similar item Network Connections and used that instead. a) was that correct and b) should I now change the strartup type to manual and the service status back to start/resume?


Here is the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:44:13 PM, on 8/5/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\regsvc.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
C:\WINDOWS\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NZSearch\nzspc.exe
C:\pilot\HOTSYNC.EXE
C:\HijackThis\HijackThis.exe

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
O4 - Global Startup: HotSync Manager 2.0.lnk = C:\pilot\HOTSYNC.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .WAV: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122818512199
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#6
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
It's very important that when asked to remove a file or disable a service that you follow the instructions exactly. deleting something "similar" could be disastrous to your computer.

go back to services.msc and put Network Connections back to manual start up.

your log looks clean now.

DISABLE SYSTEM RESTORE run your anti virus, when you get the all clear
restart your system restore.(same page).then create a new restore point :-

click START\ALL PROGRAMS\ACCESSORIES\SYSTEM TOOLS\SYSTEM RESTORE. click on "create new restore point"
click on NEXT and follow the prompts.


this is to ensure that if you have to do a system restore in the future that you don't get all the nasties reinstalled again.

Then

Go to TOOLS\INTERNET OPTIONS. and delete all TEMP INTERNET FILES

Download CCLEANER


then run the scan under the windows tab.



then DEFRAG your C:\ drive.

to help speed up your system.

then let us know how the computer is running.
  • 0

#7
adamsho1

adamsho1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Disable System Restore is an XP service and this computer is running 2000. Is this step necessary in 2000?
  • 0

#8
bricat

bricat

    Visiting Staff

  • Visiting Consultant
  • 645 posts
sorry :tazz: . ignore that part.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP