Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Raze ware, please help!


  • This topic is locked This topic is locked

#1
Wassa

Wassa

    New Member

  • Member
  • Pip
  • 1 posts
I got raze ware and I've tried to remove it by following the suggestions made in other forum threads, but it haven't worked. I've run 5-6 antispyware but none of them seems to be able to remove the spyware :)
And my desktop is still held hostage :)
Would be lovely if you could help me. Anything else you need, just let me know. I really appreciate the service you got here :tazz:

I post my log now:

Logfile of HijackThis v1.99.1
Scan saved at 01:14:10, on 2005-11-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program\D-Tools\daemon.exe
C:\Luna\App\bin\runpep.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
D:\Program\iTunes\iTunesHelper.exe
C:\Program\QuickTime\qttask.exe
D:\Program\Anti-Blaxx\Anti-Blaxx.exe
D:\Program\Winamp\winampa.exe
D:\Program\Skype\Phone\Skype.exe
C:\Program\Messenger\msmsgs.exe
D:\Program\ewido\security suite\ewidoctrl.exe
D:\Program\ewido\security suite\ewidoguard.exe
D:\Mythic\Tmas.exe
D:\Program\Norton AntiVirus\navapsvc.exe
D:\Program\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
D:\Program\Microsoft Office\Office\Winword.exe
C:\Hi jack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\Program\FlashFXP\IEFlash.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Symantec Autoscan] nrvhqclcpsosi.exe
O4 - HKLM\..\Run: [Network Access] winssh.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [InitPulsar] "C:\Luna\App\bin\runpep.exe" -s
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Anti-Blaxx Manager] D:\Program\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program\Winamp\winampa.exe
O4 - HKLM\..\RunServices: [Symantec Autoscan] nrvhqclcpsosi.exe
O4 - HKLM\..\RunServices: [Network Access] winssh.exe
O4 - HKCU\..\Run: [Symantec Autoscan] nrvhqclcpsosi.exe
O4 - HKCU\..\Run: [Skype] "D:\Program\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunServices: [Symantec Autoscan] nrvhqclcpsosi.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = D:\Mythic\Tmas.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122839095309
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome Wassa to Geeks to Go!

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!



Please download noahdfear's smitRem.exe©. (If you already used this tool, remove that version. The tool is frequently updated).
Save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.

***

Launch ewido, there should be an icon on your desktop double-click it.

The program will now go to the main screen
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each


C:\WINDOWS\system32\nrvhqclcpsosi.exe
C:\WINDOWS\system32\winssh.exe


For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If your computer does not restart automatically, please restart it manually.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [Symantec Autoscan] nrvhqclcpsosi.exe

O4 - HKLM\..\Run: [Network Access] winssh.exe

O4 - HKLM\..\RunServices: [Symantec Autoscan] nrvhqclcpsosi.exe

O4 - HKLM\..\RunServices: [Network Access] winssh.exe

O4 - HKCU\..\Run: [Symantec Autoscan] nrvhqclcpsosi.exe

O4 - HKCU\..\RunServices: [Symantec Autoscan] nrvhqclcpsosi.exe


Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite:* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Reboot your computer.

***

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

***

Reboot back into Windows

Post a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP