Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help cleaning my computer HijackThis log. [RESOLVED]

Started by Topen , Sep 08 2005 04:34 AM

  • This topic is locked This topic is locked

#1
Topen
Posted 08 September 2005 - 04:34 AM

Topen

    Member

  • Member
  • PipPip
  • 15 posts
Hi.

Been having problems with spyware and virus for a time now, I got some away but there are still things going on here.

Most of all, Norton warns about a c:\Windows\sysmte32\hclean32.dll containing virus when I start FireFox (which then crashes), but the file does not exist.

Windows keeps warning about "spyware activity" going on from time to time.

Ad-Aware can't perform a Deep Scan of Register, it just freees....

So here's my HijackThis log:
-----------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:12:56, on 2005-09-08
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program\NORTON~1\navapw32.exe
C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Compaq\Skrivbord\HijackThis.exe
C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Logitech\MouseWare\system\em_exec.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...1c02&lc=041d
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presar...=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Lnkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Name - {113D32D9-0497-4932-9D75-0ADE70F4B51D} - C:\WINDOWS\System32\msxbk.dll (file missing)
O2 - BHO: (no name) - {46E2759C-8D01-47CE-8DC9-2E819D539C9A} - C:\WINDOWS\System32\qwsxp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} - http://www.wildtange...ave/Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124367060000
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{651ED3DD-2725-4013-8A47-A7C05A0445FA}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1AF3AA7-EDAC-459D-A7E0-B4B9398B3E80}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{F08ABD2E-485B-4B60-A61A-5E7F14276747}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5144BEB-1A27-4D94-AA42-88E6E815CF89}: NameServer = 195.95.218.1,85.255.112.7
O18 - Filter: t5LDR - {485DE7AB-2091-4B94-9818-BCAF97125DD9} - C:\WINDOWS\System32\qwsxp.dll
O18 - Filter: t5ER - {6AD83BCC-8DD9-4823-B032-C09CECA494DC} - C:\WINDOWS\System32\qwsxp.dll
O18 - Filter: t5ER - {9FD76AF8-93D5-4B1F-ABF7-89A2235411FB} - C:\WINDOWS\System32\qwsxp.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

-----------------------------------------------------------------------------------------------

Thanks for any help...

/Tomas
  • 0

Advertisements

#2
Topen
Posted 08 September 2005 - 05:29 AM

Topen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I discovered someone else had the exact same problem as me, just way better described!

http://www.geekstogo...wav-t61575.html

There was suggested to download and run RKfiles.zip, so I did.

This is my result, if it helps any more!

Files Found in system Folder............
------------------------
C:\WINDOWS\system32\pav.sig: UPX!
C:\WINDOWS\system32\pav.sig: UPX!
C:\WINDOWS\system32\certcclie.exe: PEFSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
C:\WINDOWS\system32\pav.sig: UPX!
C:\WINDOWS\system32\pav.sig: UPX!
C:\WINDOWS\system32\certcclie.exe: PEFSG!
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\daemon.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye


Any help appreciated!

/Tomas
  • 0

#3
tampabelle
Posted 12 September 2005 - 01:11 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run CleanUp!Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
  • 0

#4
Topen
Posted 13 September 2005 - 05:03 AM

Topen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hello.

First of all, thanks alot for taking your time to help me :tazz:


The programs you instructed me to use didn't find anything.
Neither did the Virus scan.

Cleanup! did clean up a whole load of stuff (around 2g).

When starting Mozilla FireFox, Norton still warns for a virus in
C:\windows\system32\hclean32.exe

And the little ballon "Your computer might be at risk" pops up too...

I ran HijackThis again, this is the most recent log:

Logfile of HijackThis v1.99.1
Scan saved at 12:57:40, on 2005-09-13
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\NORTON~1\navapw32.exe
C:\WINDOWS\System32\alg.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq\Skrivbord\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...1c02&lc=041d
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presar...=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Lnkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Name - {113D32D9-0497-4932-9D75-0ADE70F4B51D} - C:\WINDOWS\System32\msxbk.dll (file missing)
O2 - BHO: (no name) - {46E2759C-8D01-47CE-8DC9-2E819D539C9A} - C:\WINDOWS\System32\qwsxp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} - http://www.wildtange...ave/Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124367060000
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{651ED3DD-2725-4013-8A47-A7C05A0445FA}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1AF3AA7-EDAC-459D-A7E0-B4B9398B3E80}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{F08ABD2E-485B-4B60-A61A-5E7F14276747}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5144BEB-1A27-4D94-AA42-88E6E815CF89}: NameServer = 195.95.218.1,85.255.112.7
O18 - Filter: t5LDR - {485DE7AB-2091-4B94-9818-BCAF97125DD9} - C:\WINDOWS\System32\qwsxp.dll
O18 - Filter: t5ER - {6AD83BCC-8DD9-4823-B032-C09CECA494DC} - C:\WINDOWS\System32\qwsxp.dll
O18 - Filter: t5ER - {9FD76AF8-93D5-4B1F-ABF7-89A2235411FB} - C:\WINDOWS\System32\qwsxp.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Awaiting instructions :)
  • 0

#5
tampabelle
Posted 13 September 2005 - 08:19 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presar...=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: Name - {113D32D9-0497-4932-9D75-0ADE70F4B51D} - C:\WINDOWS\System32\msxbk.dll (file missing)
O2 - BHO: (no name) - {46E2759C-8D01-47CE-8DC9-2E819D539C9A} - C:\WINDOWS\System32\qwsxp.dll (file missing)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{651ED3DD-2725-4013-8A47-A7C05A0445FA}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1AF3AA7-EDAC-459D-A7E0-B4B9398B3E80}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{F08ABD2E-485B-4B60-A61A-5E7F14276747}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5144BEB-1A27-4D94-AA42-88E6E815CF89}: NameServer = 195.95.218.1,85.255.112.7
O18 - Filter: t5LDR - {485DE7AB-2091-4B94-9818-BCAF97125DD9} - C:\WINDOWS\System32\qwsxp.dll
O18 - Filter: t5ER - {6AD83BCC-8DD9-4823-B032-C09CECA494DC} - C:\WINDOWS\System32\qwsxp.dll
O18 - Filter: t5ER - {9FD76AF8-93D5-4B1F-ABF7-89A2235411FB} - C:\WINDOWS\System32\qwsxp.dll

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.


Delete the files, if found -

C:\WINDOWS\System32\qwsxp.dll
C:\WINDOWS\System32\msxbk.dll




Please download WebRoot SpySweeper from here:
http://www.webroot.c...6d6f87b866d2848
(It's a 2 week trial)

Click the "Free Trial" link on the right - next to "SpySweeper for Home Computers".
On the next page, click the "Free Trial" button.
Download it and install it.
When you open the program, it will prompt you to update to the latest definitions.
Please do so, then click "Sweep Now"
Then click the "Start" button.
When it's done scanning, click the "Next" button.
Remove everything it finds, then save the log - copy the log and paste it here for me along with a fresh HJT log.
  • 0

#6
Topen
Posted 14 September 2005 - 06:40 AM

Topen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Done!

Spy Sweeper removed alot of stuff.
after reboot I ran it again to be sure, and when it opened, the log say:

13:08: Warning: Failed to check file "c:\windows\system32\hclean32.exe". Cannot open file "c:\windows\system32\hclean32.exe". tkomst nekad

"tkomst nekad" is "access denied"

The scan found nothing though.

FireFox still crash on start and Norton says there is a trojan virus in that file.

I tried to find that file myself, and discovered that it can't be seen.
I made a small experiment trying to rename an empty txt file to hclean32.exe, and it dissappears... Littrary it can't be found, neither as .exe or .txt as original name was.

Thought I'd mention this in case it has some importance.
(btw, I CAN see hidden system files etc)

Running Spy Sweeper after this found even more stuff, specifically:
C:\WINDOWS\system32\rdsndin.exe

I have a suspicion that something is attacking my "primary" web browser, as I did have lot of problems with IE at first. After installing FireFox, and setting that as primary browserm, the problems kind of moved over to there. IE now works, FF doesn't.

Spy Sweeper log:
-----------------------------------------------------------------------------------------------
********
13:08: | Start of Session, den 14 september 2005 |
13:08: Spy Sweeper started
13:08: Sweep initiated using definitions version 533
13:09: Starting Memory Sweep
13:10: Found Trojan Horse: trojan-secdrop
13:10: Detected running threat: C:\WINDOWS\system32\rdsndin.exe (ID = 81237)
13:10: Found Trojan Horse: trojan-downloader-ruin
13:10: Detected running threat: C:\WINDOWS\system32\ntfsnlpa.exe (ID = 125496)
13:10: Memory Sweep Complete, Elapsed Time: 00:01:43
13:10: Starting Registry Sweep
13:10: Found Adware: cws-aboutblank
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1006\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
13:10: Found Adware: cws obfuscated bho hijack
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1006\software\microsoft\internet explorer\main\ || search bar (ID = 116786)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\main\ || search bar (ID = 116786)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1006\software\microsoft\internet explorer\main\ || search page (ID = 116787)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\main\ || search page (ID = 116787)
13:10: Found Adware: cws_cassandra
13:10: HKLM\software\microsoft\internet explorer\urls\ || http://69.50.161.11/woinst.exe (ID = 117062)
13:10: Found Adware: dapsol dialer
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\main\ || conc (ID = 124673)
13:10: Found Adware: freshbar
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\toolbar\webbrowser\ || {06abaa2d-34ab-4902-a326-409bd9b9a7a5} (ID = 126698)
13:10: Found Adware: clearsurfing hijack
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\ (259 subtraces) (ID = 126710)
13:10: Found Adware: searchtoolbar
13:10: HKU\S-1-5-21-4149289120-3723271197-3242847100-1005\software\microsoft\internet explorer\toolbar\webbrowser\ || {08bec6aa-49fc-4379-3587-4b21e286c19e} (ID = 139177)
13:10: Found Adware: quicklink search toolbar
13:10: HKU\S-1-5-21-4149289120-3723271197-3242847100-1005\software\microsoft\internet explorer\toolbar\webbrowser\ || {08bec6aa-49fc-4379-3587-4b21e286c19e} (ID = 139177)
13:10: HKU\S-1-5-21-4149289120-3723271197-3242847100-1005\software\searchtoolbar\ (5 subtraces) (ID = 141343)
13:10: HKLM\software\searchtoolbar\ (3 subtraces) (ID = 141346)
13:10: Found Trojan Horse: trojan-dnschanger
13:10: HKLM\software\microsoft\windows\currentversion\run\ || yaemu.exe (ID = 144229)
13:10: Found Trojan Horse: trojan-downloader-alureonb
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\windows\currentversion\run\ || dtours (ID = 144311)
13:10: Found Trojan Horse: trojan-downloader-hidd
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\ || emandislc (ID = 144627)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\main\ || starter page (ID = 144628)
13:10: HKLM\software\microsoft\windows\currentversion\ || emandislc (ID = 144629)
13:10: HKLM\software\microsoft\windows\currentversion\ || emanelif (ID = 144630)
13:10: HKLM\software\microsoft\windows\currentversion\ || emanexe (ID = 144631)
13:10: HKLM\software\microsoft\windows\currentversion\ || emanger (ID = 144632)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\windows\currentversion\nur\ (12 subtraces) (ID = 144689)
13:10: Found Trojan Horse: trojan-downloader-wareout
13:10: HKU\S-1-5-21-4149289120-3723271197-3242847100-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {bf69df00-2734-477f-8257-27cd04f88779} (ID = 144839)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\extensions\cmdmapping\ || {bf69df00-2734-477f-8257-27cd04f88779} (ID = 144839)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\extensions\{bf69df00-2734-477f-8257-27cd04f88779}\ (8 subtraces) (ID = 144840)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\windows\currentversion\run\ || lpt (ID = 144850)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\windows\currentversion\run\ || wareout (ID = 144859)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\wareout\ (6 subtraces) (ID = 144878)
13:10: HKLM\software\microsoft\windows\currentversion\run\ || hclean32.exe (ID = 595890)
13:10: HKLM\software\microsoft\windows\currentversion\urls\ (16 subtraces) (ID = 605127)
13:10: HKLM\software\microsoft\windows\currentversion\ruins\ (169 subtraces) (ID = 605128)
13:10: Registry Sweep Complete, Elapsed Time:00:00:13
13:10: Starting Cookie Sweep
13:11: Found Spy Cookie: customer cookie
13:11: compaq@customer[1].txt (ID = 2481)
13:11: Cookie Sweep Complete, Elapsed Time: 00:00:01
13:11: Starting File Sweep
13:11: Found Adware: powerstrip
13:11: c:\program\powerstrip (11 subtraces) (ID = -2147476660)
13:11: run_dos.dll (ID = 80551)
13:11: ntfsnlpa.exe (ID = 125496)
13:11: rdsndin.exe (ID = 81237)
13:12: loadctr32.exe (ID = 125495)
13:14: File Sweep Complete, Elapsed Time: 00:03:02
13:14: Full Sweep has completed. Elapsed time 00:05:03
13:14: Traces Found: 529
13:28: Removal process initiated
13:28: Quarantining All Traces: trojan-secdrop
13:28: Quarantining All Traces: trojan-downloader-ruin
13:28: Quarantining All Traces: cws-aboutblank
13:28: Quarantining All Traces: cws obfuscated bho hijack
13:28: Quarantining All Traces: cws_cassandra
13:28: Quarantining All Traces: dapsol dialer
13:28: Quarantining All Traces: freshbar
13:28: Quarantining All Traces: clearsurfing hijack
13:28: Quarantining All Traces: searchtoolbar
13:28: Quarantining All Traces: quicklink search toolbar
13:28: Quarantining All Traces: trojan-dnschanger
13:28: Quarantining All Traces: trojan-downloader-alureonb
13:28: Quarantining All Traces: trojan-downloader-hidd
13:28: Quarantining All Traces: trojan-downloader-wareout
13:28: Quarantining All Traces: customer cookie
13:28: Quarantining All Traces: powerstrip
13:29: Removal process completed. Elapsed time 00:01:08
********
13:06: | Start of Session, den 14 september 2005 |
13:06: Spy Sweeper started
13:07: Messenger service has been disabled.
13:08: Warning: Failed to check file "c:\windows\system32\hclean32.exe". Cannot open file "c:\windows\system32\hclean32.exe". tkomst nekad
13:08: Updating spyware definitions
13:08: Your definitions are up to date.
13:08: | End of Session, den 14 september 2005 |


-----------------------------------------------------------------------------------------------
Second run after starting FireFox.
-----------------------------------------------------------------------------------------------

13:08: | Start of Session, den 14 september 2005 |
13:08: Spy Sweeper started
13:08: Sweep initiated using definitions version 533
13:09: Starting Memory Sweep
13:10: Found Trojan Horse: trojan-secdrop
13:10: Detected running threat: C:\WINDOWS\system32\rdsndin.exe (ID = 81237)
13:10: Found Trojan Horse: trojan-downloader-ruin
13:10: Detected running threat: C:\WINDOWS\system32\ntfsnlpa.exe (ID = 125496)
13:10: Memory Sweep Complete, Elapsed Time: 00:01:43
13:10: Starting Registry Sweep
13:10: Found Adware: cws-aboutblank
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1006\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)
13:10: Found Adware: cws obfuscated bho hijack
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1006\software\microsoft\internet explorer\main\ || search bar (ID = 116786)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\main\ || search bar (ID = 116786)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1006\software\microsoft\internet explorer\main\ || search page (ID = 116787)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\main\ || search page (ID = 116787)
13:10: Found Adware: cws_cassandra
13:10: HKLM\software\microsoft\internet explorer\urls\ || http://69.50.161.11/woinst.exe (ID = 117062)
13:10: Found Adware: dapsol dialer
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\main\ || conc (ID = 124673)
13:10: Found Adware: freshbar
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\toolbar\webbrowser\ || {06abaa2d-34ab-4902-a326-409bd9b9a7a5} (ID = 126698)
13:10: Found Adware: clearsurfing hijack
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\ (259 subtraces) (ID = 126710)
13:10: Found Adware: searchtoolbar
13:10: HKU\S-1-5-21-4149289120-3723271197-3242847100-1005\software\microsoft\internet explorer\toolbar\webbrowser\ || {08bec6aa-49fc-4379-3587-4b21e286c19e} (ID = 139177)
13:10: Found Adware: quicklink search toolbar
13:10: HKU\S-1-5-21-4149289120-3723271197-3242847100-1005\software\microsoft\internet explorer\toolbar\webbrowser\ || {08bec6aa-49fc-4379-3587-4b21e286c19e} (ID = 139177)
13:10: HKU\S-1-5-21-4149289120-3723271197-3242847100-1005\software\searchtoolbar\ (5 subtraces) (ID = 141343)
13:10: HKLM\software\searchtoolbar\ (3 subtraces) (ID = 141346)
13:10: Found Trojan Horse: trojan-dnschanger
13:10: HKLM\software\microsoft\windows\currentversion\run\ || yaemu.exe (ID = 144229)
13:10: Found Trojan Horse: trojan-downloader-alureonb
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\windows\currentversion\run\ || dtours (ID = 144311)
13:10: Found Trojan Horse: trojan-downloader-hidd
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\ || emandislc (ID = 144627)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\main\ || starter page (ID = 144628)
13:10: HKLM\software\microsoft\windows\currentversion\ || emandislc (ID = 144629)
13:10: HKLM\software\microsoft\windows\currentversion\ || emanelif (ID = 144630)
13:10: HKLM\software\microsoft\windows\currentversion\ || emanexe (ID = 144631)
13:10: HKLM\software\microsoft\windows\currentversion\ || emanger (ID = 144632)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\windows\currentversion\nur\ (12 subtraces) (ID = 144689)
13:10: Found Trojan Horse: trojan-downloader-wareout
13:10: HKU\S-1-5-21-4149289120-3723271197-3242847100-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {bf69df00-2734-477f-8257-27cd04f88779} (ID = 144839)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\extensions\cmdmapping\ || {bf69df00-2734-477f-8257-27cd04f88779} (ID = 144839)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\internet explorer\extensions\{bf69df00-2734-477f-8257-27cd04f88779}\ (8 subtraces) (ID = 144840)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\windows\currentversion\run\ || lpt (ID = 144850)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\microsoft\windows\currentversion\run\ || wareout (ID = 144859)
13:10: HKU\WRSS_Profile_S-1-5-21-4149289120-3723271197-3242847100-1007\software\wareout\ (6 subtraces) (ID = 144878)
13:10: HKLM\software\microsoft\windows\currentversion\run\ || hclean32.exe (ID = 595890)
13:10: HKLM\software\microsoft\windows\currentversion\urls\ (16 subtraces) (ID = 605127)
13:10: HKLM\software\microsoft\windows\currentversion\ruins\ (169 subtraces) (ID = 605128)
13:10: Registry Sweep Complete, Elapsed Time:00:00:13
13:10: Starting Cookie Sweep
13:11: Found Spy Cookie: customer cookie
13:11: compaq@customer[1].txt (ID = 2481)
13:11: Cookie Sweep Complete, Elapsed Time: 00:00:01
13:11: Starting File Sweep
13:11: Found Adware: powerstrip
13:11: c:\program\powerstrip (11 subtraces) (ID = -2147476660)
13:11: run_dos.dll (ID = 80551)
13:11: ntfsnlpa.exe (ID = 125496)
13:11: rdsndin.exe (ID = 81237)
13:12: loadctr32.exe (ID = 125495)
13:14: File Sweep Complete, Elapsed Time: 00:03:02
13:14: Full Sweep has completed. Elapsed time 00:05:03
13:14: Traces Found: 529
13:28: Removal process initiated
13:28: Quarantining All Traces: trojan-secdrop
13:28: Quarantining All Traces: trojan-downloader-ruin
13:28: Quarantining All Traces: cws-aboutblank
13:28: Quarantining All Traces: cws obfuscated bho hijack
13:28: Quarantining All Traces: cws_cassandra
13:28: Quarantining All Traces: dapsol dialer
13:28: Quarantining All Traces: freshbar
13:28: Quarantining All Traces: clearsurfing hijack
13:28: Quarantining All Traces: searchtoolbar
13:28: Quarantining All Traces: quicklink search toolbar
13:28: Quarantining All Traces: trojan-dnschanger
13:28: Quarantining All Traces: trojan-downloader-alureonb
13:28: Quarantining All Traces: trojan-downloader-hidd
13:28: Quarantining All Traces: trojan-downloader-wareout
13:28: Quarantining All Traces: customer cookie
13:28: Quarantining All Traces: powerstrip
13:29: Removal process completed. Elapsed time 00:01:08
********



-----------------------------------------------------------------------------------------------

HJT log:
-----------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 13:40:01, on 2005-09-14
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\NORTON~1\navapw32.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\alg.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\Logitech\MouseWare\system\em_exec.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Compaq\Skrivbord\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...1c02&lc=041d
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Lnkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} - http://www.wildtange...ave/Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124367060000
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Hope this helps... :tazz:

Edited by Topen, 14 September 2005 - 06:42 AM.

  • 0

#7
tampabelle
Posted 14 September 2005 - 10:41 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#8
Topen
Posted 14 September 2005 - 11:04 AM

Topen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"NAV Agent" = "C:\Program\NORTON~1\navapw32.exe" ["Symantec Corporation"]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"LVCOMS" = "C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE" ["Logitech Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"Symantec NetDriver Monitor" = "C:\Program\SYMNET~1\SNDMon.exe /Consumer" [file not found]
"SSC_UserPrompt" = "C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"QuickTime Task" = ""C:\Program\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Zone Labs Client" = "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"SpySweeper" = ""C:\Program\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Kontrollpanelstillgg fr bildskrmspanorering"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-ikontillgg"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Microsoft Office\Office10\msohev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csqlc.exe" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssstars.scr" [MS]


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\09QB4LA7\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\8D6JGHEV\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\8WDWFODO\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\A5HURUXG\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\A99Y0TPQ\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\FNT73PGS\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\G7NL22ZK\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\GHIJCHMN\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\GTAV8XQR\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\IXO36LA5\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\LBFJHTWE\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\M2IO429H\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\O39J2U35\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\PSSJDXCH\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\ST4JKRGV\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\UXVKDCRQ\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\VYGNF18L\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\W52N0LQ7\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\YB27MDEZ\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Temporary Internet Files\Content.IE5\YTTMBY5W\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Tidigare\DESKTOP.INI -- cannot be opened!
C:\Documents and Settings\Micke\Lokala instllningar\Tidigare\History.IE5\DESKTOP.INI -- cannot be opened!


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Sk igenom datorn" -> launches: "C:\Program\NORTON~1\NAVW32.EXE /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program\Messenger\MSMSGS.EXE" [MS]


HOSTS file
----------

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
HIJACK WARNING! "DataBasePath" = "C:\WINDOWS\nsdb"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Intel® NMS, NMSSvc, "C:\WINDOWS\System32\NMSSvc.exe" ["Intel Corporation"]
Norton AntiVirus Auto-Protect, navapsvc, "C:\Program\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 110 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 24 seconds.
---------- (total run time: 216 seconds)
  • 0

#9
tampabelle
Posted 14 September 2005 - 11:30 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Topen,

Download Hoster.zip and save it on your desktop.

Unzip and extract the files from Hoster.zip and save them also on your desktop.

Run Hoster.exe from the extracted files. Click on "Restore Original Hosts"


Copy everything in the quote box below (starting with REGEDIT4) and paste it into Notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixware.reg on your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""


Double-click fixware.reg and when asked if you want to merge with the registry click YES.

After the merged successfully prompt, please reboot your computer.

Please download the Killbox by Option^Explicit. Save it to your desktop.

Run Killbox.exe. Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\system32\ntfsnlpa.exe
C:\WINDOWS\system32\rdsndin.exe
C:\WINDOWS\system32\certcclie.exe
C:\WINDOWS\system32\csqlc.exe
C:\WINDOWS\system32\cshlg.exe
C:\WINDOWS\system32\hclean32.exe
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.


After reboot, post a new HiJackThis log here.
  • 0

#10
Topen
Posted 14 September 2005 - 11:46 AM

Topen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi.

After first restart the file rdsndin.exe suddenly appears on my desktop. Unable to remove or rename it :tazz:

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 19:43:24, on 2005-09-14
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\NORTON~1\navapw32.exe
C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\alg.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Compaq\Skrivbord\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Lnkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} - http://www.wildtange...ave/Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124367060000
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Any more I shall do? :)
  • 0

Advertisements

#11
tampabelle
Posted 14 September 2005 - 02:09 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Can you run rkfiles and post a fresh log here ???
  • 0

#12
Topen
Posted 14 September 2005 - 04:10 PM

Topen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\pav.sig: UPX!
C:\WINDOWS\system32\pav.sig: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
C:\WINDOWS\system32\pav.sig: UPX!
C:\WINDOWS\system32\pav.sig: UPX!
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\daemon.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye
  • 0

#13
tampabelle
Posted 14 September 2005 - 05:54 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
Please run MWav by double-clicking on mwav.exe.
Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.
  • 0

#14
tampabelle
Posted 14 September 2005 - 05:57 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Duplicate post.

Edited out

Edited by tampabelle, 14 September 2005 - 05:58 PM.

  • 0

#15
Topen
Posted 15 September 2005 - 05:17 PM

Topen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hey.

Here's the MWav infected results.

I suppose all the things found in "Norton" folder would be the hclean32.exe finds. Norton said it Quarantined that file... alot of times.

I noticed you did NOT tell me to check "registry" for scanning. Is that correct?

What next? :tazz:

Object "AdWare.ToolBar.SBSoft.h Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "PowerStrip Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Popuper Spyware/Adware" found in File System! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP0.exe infected by "Virus.Win32.Parite.b" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP1.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP10.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP11.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP12.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP13.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP14.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP15.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP16.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP17.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP18.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP19.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP2.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP20.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP21.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP22.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP23.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP24.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP25.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP26.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP27.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP28.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP3.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP4.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP5.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP6.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP7.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP8.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP9.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File D:\download\finished\win_hl_1110.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken.
File D:\Spel\Half-Life\hltv.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP0.exe infected by "Virus.Win32.Parite.b" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP1.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP10.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP11.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP12.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP13.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP14.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP15.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP16.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP17.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP18.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP19.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP2.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP20.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP21.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP22.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP23.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP24.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP25.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP26.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP27.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP28.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP3.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP4.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP5.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP6.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP7.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP8.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
File C:\Program\Norton AntiVirus\Quarantine\Incoming\AP9.exe infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP