Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

infected with a virus called Desktophijack [CLOSED]


  • This topic is locked This topic is locked

#1
Imu

Imu

    Member

  • Member
  • PipPip
  • 34 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:34:23 PM, on 08/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Athan\Athan.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\intell32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Bluetooth Software\BTTray.exe
C:\PROGRA~1\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mr\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rugolzlmi...LZjCY1BbwYi.htm
O2 - BHO: (no name) - {2BA8185F-6DFC-3B22-5C19-F7C4026A12F5} - C:\DOCUME~1\mr\APPLIC~1\EGGSBO~1\License Bin.exe
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [E-KeyWork] C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [sect option chic user] C:\Documents and Settings\All Users\Application Data\Free win sect option\Mode Option.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [bodytwo] C:\DOCUME~1\mr\APPLIC~1\DRIVEM~1\Knob Blah.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.5.0\ShprRprt.dll (file missing)
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.5.0\ShprRprt.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{26EBB558-8231-48D1-B40D-06789825D224}: NameServer = 172.3.6.10 193.220.82.2
O18 - Filter: text/html - {1107D5CE-AE67-4363-B1E0-C4E4C65DA2D0} - C:\WINDOWS\System32\pblc.dll
O18 - Filter: text/plain - {1107D5CE-AE67-4363-B1E0-C4E4C65DA2D0} - C:\WINDOWS\System32\pblc.dll
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O21 - SSODL: Adobe Acrobat 5.0 - {EC6A3738-9909-01F3-D1C5-C2B288F188D4} - c:\program files\adobe\acrobat 5.0\reader\winlnjgy4.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi, I was the one working on your log last time, but you never got back to me :tazz:

Please try to reply back. I want to know what happened - good or bad ;)

OK, let's get this started...

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

Please download Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.gee.../ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rugolzlmi...LZjCY1BbwYi.htm
O2 - BHO: (no name) - {2BA8185F-6DFC-3B22-5C19-F7C4026A12F5} - C:\DOCUME~1\mr\APPLIC~1\EGGSBO~1\License Bin.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [sect option chic user] C:\Documents and Settings\All Users\Application Data\Free win sect option\Mode Option.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [bodytwo] C:\DOCUME~1\mr\APPLIC~1\DRIVEM~1\Knob Blah.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.5.0\ShprRprt.dll (file missing)
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.5.0\ShprRprt.dll (file missing)
O18 - Filter: text/html - {1107D5CE-AE67-4363-B1E0-C4E4C65DA2D0} - C:\WINDOWS\System32\pblc.dll
O18 - Filter: text/plain - {1107D5CE-AE67-4363-B1E0-C4E4C65DA2D0} - C:\WINDOWS\System32\pblc.dll
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - (no CLSID) - (no file)


Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Uninstall these if listed:

Messenger Plus - this program contains a 'sponsor' program. If you installed this 'sponsor' program, please uninstall Messenger Plus and reinstall it back but without the sponsor. In this case, you DID install it. So remove Messenger Plus.

ShopperReports


Delete these if found:

C:\DOCUME~1\mr\APPLIC~1\EGGSBO~1\
C:\Documents and Settings\All Users\Application Data\Free win sect option\
C:\WINDOWS\System32\intell32.exe
C:\Program Files\PSGuard\
C:\DOCUME~1\mr\APPLIC~1\DRIVEM~1\
C:\Program Files\MessengerPlus! 3\
C:\Program Files\ShopperReports\
C:\WINDOWS\System32\pblc.dll


Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log.

Download FindIt's.zip http://forums.net-in...=post&id=142443 to your desktop.

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat.
3. Then post the FindIt's log here along with the logs for HijackThis, Panda ActiveScan, smitfiles.txt and Ewido.
  • 0

#3
Imu

Imu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hii. Thank you very much for yor quick response. I am very sorry for my late reply as it took some time to complete all those tasks which you mentioned and plus the panda scan thongy was giving me problems everyday. I have posted all the logs which you have requested except for the panda scan log as it doesn't want to work on my pc. As per the last topic, the steps which you gave me were enough to disinfect my computer so thanks once again. :tazz: :)

Logfile of HijackThis v1.99.1
Scan saved at 12:07:30 AM, on 08/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Athan\Athan.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Bluetooth Software\BTTray.exe
C:\PROGRA~1\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\mr\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ozupehnivtwte...hF0SnTYsYRu.jsp
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [E-KeyWork] C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth Software\btsendto_ie_ctx.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26EBB558-8231-48D1-B40D-06789825D224}: NameServer = 172.3.8.90 193.220.82.2
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O21 - SSODL: Adobe Acrobat 5.0 - {EC6A3738-9909-01F3-D1C5-C2B288F188D4} - c:\program files\adobe\acrobat 5.0\reader\winlnjgy4.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Findit's Log

Microsoft Windows XP [Version 5.1.2600]
The current date is: 08/18/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

* SAHAgent C:\WINDOWS\System32\70TOVMTO.INI
* SAHAgent C:\WINDOWS\System32\BLN02NQV.INI
* SAHAgent C:\WINDOWS\System32\GAH95ON6.INI
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is C858-D05C

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is C858-D05C

Directory of C:\WINDOWS\system32

08/19/2005 12:04 AM 1,406 AddQuit.ico
05/10/2004 01:42 PM 766 casino.ico
05/27/2004 02:30 PM 2,238 Date.ico
08/19/2005 12:04 AM 9,470 Desktop.ico
05/10/2004 01:42 PM 4,286 games.ico
08/19/2005 12:04 AM 1,406 Help.ico
08/19/2005 12:04 AM 5,350 IE.ico
05/10/2004 01:42 PM 4,286 mobile.ico
08/19/2005 12:04 AM 1,718 Open.ico
08/14/2005 10:30 AM 4,286 ptainfo1.ico
08/14/2005 10:30 AM 4,286 ptainfo2.ico
08/19/2005 12:03 AM 1,718 Quick.ico
05/10/2004 01:42 PM 4,286 scanner.ico
05/27/2004 02:30 PM 4,286 spam.ico
08/19/2005 12:04 AM 2,550 Uninstall.ico
15 File(s) 52,338 bytes
0 Dir(s) 36,113,719,296 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

Ewido Log

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:51:57 PM, 08/14/2005
+ Report-Checksum: 135F6028

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{0774F696-D801-4C18-81A7-A3A32B8BEF19} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1E6AC766-9094-4BCF-ABD3-39E2EAEA5FCD} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2178C864-B8BC-41AE-A1FB-EB6A32F87EB1} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2A8A997F-BB9F-48F6-AA2B-2762D50F9289} -> Spyware.SmartShopper : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{454B4812-E572-4703-A1BB-63490809EAC0} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{580A1F3F-89B4-433B-BBDB-B97AEB13F3FC} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{74CC49F7-EB32-4A08-B204-948962A6E3DB} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7E66936C-FEA0-4984-AD26-7B6661AC5B2E} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A798E2B4-B6A0-4B96-8C53-8EC7A3B0895A} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtHostIE.Bho -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtHostIE.Bho\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtHostIE.Bho\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbTools.HbtCommBand -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbTools.HbtCommBand\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbTools.HbtCommBand\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbTools.HbtTravelCompareBar -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbTools.HbtTravelCompareBar\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbTools.HbtTravelCompareBar\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtTools.HbMain -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtTools.HbMain\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbtTools.HbMain\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{34F4D917-31E4-464C-B8B3-84C1CE76B395} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{3F04CBF7-CD62-4403-B090-B432DEDCB159} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{3F6DA8BB-3E45-44E2-B494-C55BEAF3B41E} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8578D35E-C6C0-4808-9A80-0F6C29A2C423} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC190DA5-0187-4D99-B3AC-6C45EA1B9324} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\RprtsPSClient.PSExecuter -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\RprtsPSClient.PSExecuter\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\RprtsPSClient.PSExecuter\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbAx -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbAx\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbAx\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbCommBand -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbCommBand\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbCommBand\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbInfoBand -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbInfoBand\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.HbInfoBand\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.IEButton -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.IEButton\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.IEButton\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.IEButtonA -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.IEButtonA\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.IEButtonA\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.SmrtShprCtl -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.SmrtShprCtl\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ShprRprts.SmrtShprCtl\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{45397063-D7D0-47C2-9508-26487608A298} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{71EFE583-62FE-4419-9918-CA3B683F7B36} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{842D315A-7E1E-448B-96E8-9E76D1820BE2} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{B5901229-25CC-43C9-B604-3BB6AC2B48A5} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{C83DAED4-0611-4F7A-978E-7FEAFCB2F91B} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\HbTools -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\HbTools -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\HbTools\PI -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\HbTools\HbTools\PI\3.2 -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{7E66936C-FEA0-4984-AD26-7B6661AC5B2E} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{946B3E9E-E21A-49c8-9F63-900533FAFE14} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E77EDA01-3C56-4a96-8D08-02B42891C169} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistant Uninstall -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\ShopperReports -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\ShopperReports\Install -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\ShopperReports\ShopperReports -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\ShopperReports\ShopperReports\PostInstaller -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-343818398-1214440339-725345543-1003\Software\Microsoft\Internet Explorer\Explorer Bars\{2178C864-B8BC-41AE-A1FB-EB6A32F87EB1} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-343818398-1214440339-725345543-1003\Software\Microsoft\Internet Explorer\Explorer Bars\{7E66936C-FEA0-4984-AD26-7B6661AC5B2E} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-343818398-1214440339-725345543-1003\Software\Microsoft\Internet Explorer\Explorer Bars\{A798E2B4-B6A0-4B96-8C53-8EC7A3B0895A} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-343818398-1214440339-725345543-1003\Software\ShopperReports -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-343818398-1214440339-725345543-1003\Software\ShopperReports\Install -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-343818398-1214440339-725345543-1003\Software\ShopperReports\ShopperReports -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-343818398-1214440339-725345543-1003\Software\ShopperReports\ShopperReports\PostInstaller -> Spyware.HotBar : Cleaned with backup
[476] C:\WINDOWS\system32\OLEEXT.dll -> Trojan.Agent.ff : Cleaned with backup
[696] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
C:\Program Files\C2Media\Setup.exe -> Spyware.Lop : Cleaned with backup
C:\Program Files\Mozilla Firefox\plugins\npzango.dll -> Spyware.WinAD : Cleaned with backup


::Report End


Smitrem log

~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll present!


~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Infected! ~~~~


~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Infected! ~~~~


~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Infected! ~~~~
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Not 100% clean yet, but definitely better now :tazz:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\system32\AddQuit.ico
C:\WINDOWS\system32\casino.ico
C:\WINDOWS\system32\Date.ico
C:\WINDOWS\system32\Desktop.ico
C:\WINDOWS\system32\games.ico
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\IE.ico
C:\WINDOWS\system32\mobile.ico
C:\WINDOWS\system32\Open.ico
C:\WINDOWS\system32\ptainfo1.ico
C:\WINDOWS\system32\ptainfo2.ico
C:\WINDOWS\system32\Quick.ico
C:\WINDOWS\system32\scanner.ico
C:\WINDOWS\system32\spam.ico
C:\WINDOWS\system32\Uninstall.ico
C:\WINDOWS\System32\70TOVMTO.INI
C:\WINDOWS\System32\BLN02NQV.INI
C:\WINDOWS\System32\GAH95ON6.INI


Boot into Safe Mode.

Check and fix these in HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ozupehnivtwte...hF0SnTYsYRu.jsp
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - (no CLSID) - (no file)

Run smitRem's RunThis.bat again. Save the log.

Run Ewido scan again. Save the log.

Reboot into Normal Mode and post the Ewido log, smitfiles.txt log and a new HijackThis log.
  • 0

#5
Imu

Imu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hii. Sorry once again for the late reply. All the logs that you require are posted below. About 5 days back, i was surfing and suddenly my screen turned red and in the middle, a spyware advert came. My hijackthis program was also not running. I runned AVG antivirus and ad-aware SE personal anti spyware program and the red screen with the spyware advert went away and hijackthis started working again. Now my screen is white and it flickers everytime. The wallpaper doesn't appear even when i select one. When i right click on the desktop and click on properties, it says that it's not available. After i ran hijackthis program to get the log posted below, my hijackthis program stopped working again. When i ran ad-aware SE personal, 1 critical object was detected and upon deleting that, my hijackthis started working again. Please help me out. :) Thanks alot. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 6:44:44 PM, on 08/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\mr\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ozupehnivtwte...hF0SnTYsYRu.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [E-KeyWork] C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [Start Page] C:\WINDOWS\system32\svcnt32.exe home
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth Software\btsendto_ie_ctx.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O21 - SSODL: Adobe Acrobat 5.0 - {EC6A3738-9909-01F3-D1C5-C2B288F188D4} - c:\program files\adobe\acrobat 5.0\reader\winlnjgy4.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


smitRem log file
version 2.3

by noahdfear

The current date is: 08/31/2005
The current time is: 22:18:44.48

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :)



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:57:22 PM, 08/31/2005
+ Report-Checksum: 83EA831B

+ Scan result:

C:\WINDOWS\system32\cool.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINDOWS\system32\f.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINDOWS\system32\libsys32.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup


::Report End
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Try not to take too long to get to the fixes because sometimes (like in your case), the infection might have mutated or spread itself elsewhere. I see new entries here already.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ozupehnivtwte...hF0SnTYsYRu.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [Start Page] C:\WINDOWS\system32\svcnt32.exe home
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

syslog32.exe
C:\WINDOWS\system32\svcnt32.exe
C:\WINDOWS\System32\libsys32.exe


Restart and run BOTH these scans:

Run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

Restart again and run a new HijackThis scan. Save the log file and post it here.
  • 0

#7
Imu

Imu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hii. Thanks for your reply. Well i ran hijackthis and i fixed all the items except for th first one which was not present. The problem is that i didn't find any of these 3.

syslog32.exe
C:\WINDOWS\system32\svcnt32.exe
C:\WINDOWS\System32\libsys32.exe

I don't understand what do you mean by: (delete folders if no filename is specified) and when you say (if none, just do a search for them), please tell me where do i search for them. Thanks. :tazz:
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
If they are not found, then they were probably deleted already.

What I mean was like this one:

syslog32.exe

No folder path is specified at all. Some users get lost on this and try to find it but don't know where to start. You must search for that file if I didn't specify where it is located.

New log please after you are done :tazz:
  • 0

#9
Imu

Imu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hii. Thanks once again for your reply. Well i tried finding these files but i didn't get them. I also have problems running the trend-micro and panda scans. When i run the trend micro, it says that the client could not be started and when i run the panda scan, it says that there is an error downloading this file and the possible causes are activex not being allowed to be downloaded. My desktop is still white and it also flickers. Well the hijackthis log is posted below. Thanks :tazz:



Logfile of HijackThis v1.99.1
Scan saved at 12:10:24 PM, on 09/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Athan\Athan.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Bluetooth Software\BTTray.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mr\My Documents\HijackThis\HijackThis.exe

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [E-KeyWork] C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BAF7226-7D9B-42E4-B9B8-8487894B00CD}: NameServer = 172.3.8.0 193.220.82.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BAF7226-7D9B-42E4-B9B8-8487894B00CD}: NameServer = 172.3.8.0 193.220.82.2
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O21 - SSODL: Adobe Acrobat 5.0 - {EC6A3738-9909-01F3-D1C5-C2B288F188D4} - c:\program files\adobe\acrobat 5.0\reader\winlnjgy4.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#10
Imu

Imu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hii once again. Well i have some good news. After i had posted my last reply, i came accross a topic in the similar threads section titled white/grey desktop virus. When i was going through it, i noticed that the problem was the same as mine. I went through it and i found that the person who had been infected with this wrote that he had gone to control panel/appearance/desktop/customize/web tab and had deselected and deleted "security" and he got his desktop back. Well i decided to do the same. When i tried it, it didn't happen at the first go as i think i had forgotten to click on apply. When i did it the second time and clicked on apply, i tried selecteing a wallpaper and there it came. Now i have my desktop back. :) Please advice me if this was a wise thing to do and please continue to reply me. Thanks alot. :tazz:
  • 0

#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I thought I did mention that already. I'm sure I did because I just looked back and there it is:

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Only for 98 systems, it's under Appearance tab, but I'm sure that the one you looked at said the same exact thing.

Decide what antivirus program you want to use (Norton or Grisoft AVG) and uninstall one of them. Those two will conflict with each other.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Make sure that you are disconnected from the internet and close all your protection programs now. They might be interferring with the fix here.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop ntlogin32
sc delete ntlogin32
del delete.bat


Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Go into HijackThis->Config->Misc Tools->Delete an NT service and type in ntlogin32 and hit OK.

Go to Start->Run and type in services.msc and hit OK. Then look for NT login service (ntlogin32) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)


Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#12
Imu

Imu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hii. Well i have a big problem. My hijackthis is not running. I have been trying to run it since your last reply and am tired of trying. I tried uninstalling and installing it but it's of no use. Don't know what to do. Please help :) Thanks :tazz:
  • 0

#13
Imu

Imu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hii again!! I have some good news. I ran avg and ad-aware se personal and there were some viruses and spywares on my pc. I deleted them and on deleting them, my hijackthis started working. Well i shall reply you as soon as i am done with the fixes. thanks :tazz:
  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP