[mahirada]

Logfile of HijackThis v1.99.1
Scan saved at 14:05:18, on 27.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX03.109\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://metu.edu.tr/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB9C2703-5FE4-461A-9A1E-7C00F200B06D}: NameServer = 144.122.199.20,144.122.199.90
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\m6nq0g55e6.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

[Advertisements]

Hello,

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

• Click the Free Trial link under to "SpySweeper" to download the program.
• Install it.
• Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window and save in in Notepad and place it on your desktop.
• Click the Summary tab and click Finish.
• REBOOT (Really important!!)
• Paste the contents of the session log you copied into your next reply together with a new hijackthislog.

[miekiemoes]

Hello,

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

• Click the Free Trial link under to "SpySweeper" to download the program.
• Install it.
• Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window and save in in Notepad and place it on your desktop.
• Click the Summary tab and click Finish.
• REBOOT (Really important!!)
• Paste the contents of the session log you copied into your next reply together with a new hijackthislog.

[mahirada]

********
15:15: | Start of Session, 27 Ekim 2005 Perşembe |
15:15: Spy Sweeper started
15:15: Sweep initiated using definitions version 562
15:15: Starting Memory Sweep
15:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:16: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:16: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:16: Found Adware: icannnews
15:16: Detected running threat: C:\WINDOWS\system32\m6nq0g55e6.dll (ID = 83)
15:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:17: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:17: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:17: Detected running threat: C:\WINDOWS\system32\WIDRMNet.dll (ID = 83)
15:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:18: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:18: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:19: Memory Sweep Complete, Elapsed Time: 00:03:46
15:19: Starting Registry Sweep
15:19: Found Adware: azsearch toolbar
15:19: HKCR\azentretien.loader\ (5 subtraces) (ID = 103886)
15:19: HKLM\software\azentretienco\ (3 subtraces) (ID = 103905)
15:19: HKLM\software\classes\azentretien.loader\ (5 subtraces) (ID = 103910)
15:19: Registry Sweep Complete, Elapsed Time:00:00:20
15:19: Starting Cookie Sweep
15:19: Found Spy Cookie: belnk cookie
15:19: administrator@belnk[1].txt (ID = 2292)
15:19: [email protected][2].txt (ID = 2293)
15:19: Cookie Sweep Complete, Elapsed Time: 00:00:00
15:19: Starting File Sweep
15:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:19: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:19: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:20: Found Adware: look2me
15:20: iconu.exe (ID = 65721)
15:20: azesearch.bmp (ID = 50322)
15:20: bw2.com (ID = 65721)
15:21: appwrap[1].exe (ID = 65721)
15:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:21: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:21: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:21: appwrap[1].exe (ID = 65739)
15:21: icont.exe (ID = 65722)
15:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:22: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:22: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:23: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:23: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:24: appwrap[1].exe (ID = 65722)
15:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:25: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:25: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:26: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:26: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:27: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:27: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:28: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:28: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:29: appwrap[1].exe (ID = 65739)
15:29: appwrap[1].exe (ID = 65722)
15:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:30: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:30: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:31: File Sweep Complete, Elapsed Time: 00:11:31
15:31: Full Sweep has completed. Elapsed time 00:15:42
15:31: Traces Found: 29
15:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:31: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:31: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:32: Removal process initiated
15:32: Quarantining All Traces: look2me
15:32: Quarantining All Traces: azsearch toolbar
15:32: Quarantining All Traces: icannnews
15:32: icannnews is in use. It will be removed on reboot.
15:32: C:\WINDOWS\system32\m6nq0g55e6.dll is in use. It will be removed on reboot.
15:32: C:\WINDOWS\system32\WIDRMNet.dll is in use. It will be removed on reboot.
15:32: Quarantining All Traces: belnk cookie
15:32: Warning: Launched explorer.exe
15:32: Warning: Quarantine process could not restart Explorer.
15:33: Preparing to restart your computer. Please wait...
15:33: Removal process completed. Elapsed time 00:01:26
********
15:14: | Start of Session, 27 Ekim 2005 Perşembe |
15:14: Spy Sweeper started
15:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:14: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
15:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:14: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
15:15: Your spyware definitions have been updated.
15:15: | End of Session, 27 Ekim 2005 Perşembe |

Logfile of HijackThis v1.99.1
Scan saved at 15:40:52, on 27.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX03.766\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB9C2703-5FE4-461A-9A1E-7C00F200B06D}: NameServer = 144.122.199.20,144.122.199.90
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

[miekiemoes]

Hello,

I see a clean log.
Just some little thing we need to perform.

Please download NTrights.zip by freeatlast.
Save it on your desktop.
Unzip/extract it.
Read here how to unzip/extract properly:
http://metallica.gee...xplanation.html
Open the NTrights-folder
Double click on the Debug.bat file to run it, follow any prompts it asks.

It will create a log.
Copy the log and post it in your next reply.
Also tell me how everything is running now.

[mahirada]

Thanks for your valuable helps.I should say that You are THe NUmber ONE.......I think my problems are solved.... but the link you wrote in your second replay doesnt work..
by the way this , ı dont undersatnd for what purposes ı have to do this NTrights.zip......
Seee you sooonn..
Yes you are the number one...

[miekiemoes]

Hi, that's odd, the link works fine here though.
You need it to restore SeDebugPrivilege to administrators, because the infection you got messes with it.

Maybe the server was offline for a while.. It happened before. So you can try this later when the link works.

If it says in the log:

Granting SeDebugPrivilege to Administrators ... successful

Then you are ok.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft...xp/iesecxp.mspx

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again!

[mahirada]

Granting SeDebugPrivilege to Administrators ... successful

Fri Oct 28 13:51:20 2005 -- done

I think ı have done properly..
I am not geeting any popups and spywaere anymore. at the end , we have solved the problem...Is there anything (apart from what you have said) that I should do...
Again thanks for your great helps .....Have a nice day...

[miekiemoes]

Hi,

Great to hear that.

What won't hurt is to run another spysweeper scan to get rid of some leftovers if still present.
And if you follow my other advice (preventionspeech), you must be ok.

[miekiemoes]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.