Recently I booted up my pc, logged into my profile and when it was loading programs a dos window popped up and disappeared then a blank window popped up with (titled) cmd.hta. Now I cannot retrieve NAV updates, it just hangs on 'initialising'. Action I have taken.. well tried! :
1. Ran full virus scan - come up with nothing
2. Tried running Adaware - said it encountered a problem and needed to close
3. Went to Trendmicro - scan picked up nothing but Hijacker option said this:
We found some issues, that you should be aware of. Though your files and system itself seem to be safe from hackers, your machine provides information about itself and/or publishes web-content.
Open/Closed ports on your machine:
Open ports: 53, 80, 22
Closed ports:
Not responding ports: 5900-5910, 3128, 500, 8080, 445, 12345, 113, 54320, 443, 8787, 139, 110, 79, 25, 23, 119, 135, 21, 138, 137, 143
4. Ran a program called Spyware Doctor (I forgot I had this) after getting latest def file which said this:
ISTbar
Infection risk level: High
Infection description: ISTbar is a Trojan downloader which will download additional malware components including but not limited to Internet Optimizer and Bargain Buddy. Servers which ISTbar will contact to download malware include: ysbweb.com, sidefind.com, download.bargain-buddy.net, slotch.com and more. In addition to being a Trojan it is also an Internet Explorer BHO installed as a toolbar.
CnsMin
Infection risk level: Medium
Infection description: CnsMin is another keyword-lookup provider that takes over the search feature of IE's address bar. It is aimed at providing keywords using Chinese characters.
Other than replacing the IE search feature with a Chinese site likely to be incomprehensible to non-Chinese users, CnsMin is not overtly harmful, but it uses extremely anti-social methods to make it difficult to uninstall. Is installed by ActiveX drive-by-download at its company's site, 3721.com. Has also apparently been included in junk e-mail, which could be how some Western users have ended up with it.
Advertising
Infection risk level: Low
Infection description: Advertising companies store cookies on a user's computer to serve targeted ads based on the web surfers interests when visiting a website serving their ads.
I fix checked and it got rid of everything except the ISTbar, I couldn't find it in the registry since it gave me the key - it had gone.
5. Went to find out more info on cmd.hta thru Google but it couldn't process my request as it said this:
We're sorry...
... but we can't process your request right now. A computer virus or spyware application is sending us automated requests, and it appears that your computer or network has been infected.
We'll restore your access as quickly as possible, so try again soon. In the meantime, you might want to run a virus checker or spyware remover to make sure that your computer is free of viruses and other spurious software.
So now I'm pretty muched stuffed so downloaded Hijackthis (to be honest Adaware has been good for me for ages) ran it and now have this log so in the hope that an expert can help me - because I need it!
Thanks a lot guys.
Logfile of HijackThis v1.99.1
Scan saved at 23:56:23, on 02/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\Shane\My Documents\Progs\framxpro\FreeRAM XP Pro 1.40.exe
C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\Shane\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchby.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.virgin.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1
\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1
\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch
USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe"
startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5
\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32
\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Shane\My
Documents\Progs\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\Program Files\Ultimate Popup
Killer\Popupkiller.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0
\Reader\reader_sl.exe
O4 - Global Startup: [bleep].cmd
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10
\OSA.EXE
O4 - Global Startup: Secure Tunnel.lnk = C:\Program Files\Secure Tunnel\stunnel.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32
\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1
\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell....iler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -
http://www.ipix.com/download/ipixx.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) -
http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player)
- http://www.installen...gine/isetup.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) -
http://ccon.madonion.../global/msc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B43399E-D737-4AC5-8E14-FA574EC143B9}: NameServer =
194.168.4.100 194.168.8.100
O21 - SSODL: System - {C40EE50D-1310-4E31-A427-C82F1457CF65} - C:\WINDOWS\system32
\system32.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32
\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation -
C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program
Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1
\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32
\ZoneLabs\vsmon.exe