[samebattime]

I've been fighting this all day. Please help before I pull any remaining hair out.
Logfile of HijackThis v1.99.1
Scan saved at 12:24:42 PM, on 5/27/2005
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\khooker.exe
C:\WINNT\Mixer.exe
C:\Program Files\X-ecutor\xecutor.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\loadqm.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\Services\{8B45D9E5-F34E-482E-B4D7-9EDF680CFB96}\SVCHOST.EXE
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ron\Local Settings\Temporary Internet Files\Content.IE5\K67C228F\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...index.php?aff=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [xecutor] C:\Program Files\X-ecutor\xecutor.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Service Host] C:\WINNT\System32\Services\{8B45D9E5-F34E-482E-B4D7-9EDF680CFB96}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINNT\System32\Services\{8B45D9E5-F34E-482E-B4D7-9EDF680CFB96}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - Startup: Xecutor.lnk = C:\Program Files\X-ecutor\xecutor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O12 - Plugin for .pdf&&DI=293&IG=e19416efd3fa43eab6691560c93d01d6&POS=10&CM=WPU&CE=7&CS=AWP&SR=7: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

[Advertisements]

Welcome to GTG.

Let's help you save your hair

OK, for this file (C:\WINNT\System32\sistray.EXE), I want you to upload it to this site and submit it. Post the analysis report here.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoft...ucts/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...index.php?aff=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O4 - HKLM\..\Run: [Service Host] C:\WINNT\System32\Services\{8B45D9E5-F34E-482E-B4D7-9EDF680CFB96}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINNT\System32\Services\{8B45D9E5-F34E-482E-B4D7-9EDF680CFB96}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\System32\Services\{8B45D9E5-F34E-482E-B4D7-9EDF680CFB96}\
C:\WINNT\System32\spoolsrv32.exe

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.

[greyknight17]

Welcome to GTG.

Let's help you save your hair

OK, for this file (C:\WINNT\System32\sistray.EXE), I want you to upload it to this site and submit it. Post the analysis report here.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoft...ucts/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...index.php?aff=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O4 - HKLM\..\Run: [Service Host] C:\WINNT\System32\Services\{8B45D9E5-F34E-482E-B4D7-9EDF680CFB96}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINNT\System32\Services\{8B45D9E5-F34E-482E-B4D7-9EDF680CFB96}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\System32\Services\{8B45D9E5-F34E-482E-B4D7-9EDF680CFB96}\
C:\WINNT\System32\spoolsrv32.exe

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.

[samebattime]

It seems to be better...what do you think?


Logfile of HijackThis v1.99.1
Scan saved at 3:08:30 PM, on 5/27/2005
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\khooker.exe
C:\WINNT\Mixer.exe
C:\Program Files\X-ecutor\xecutor.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\loadqm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nikon\NkView5\NkvMon.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\ron\Local Settings\Temporary Internet Files\Content.IE5\Y145ALWV\HijackThis[1].exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [xecutor] C:\Program Files\X-ecutor\xecutor.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Disk Keeper] C:\WINNT\System32\Services\{8B45D9E5-F34E-482E-B4D7-9EDF680CFB96}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - Startup: Xecutor.lnk = C:\Program Files\X-ecutor\xecutor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O12 - Plugin for .pdf&&DI=293&IG=e19416efd3fa43eab6691560c93d01d6&POS=10&CM=WPU&CE=7&CS=AWP&SR=7: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

[greyknight17]

Not much. We'll try fixing it again. Before we do that, do you know what that X-ecutor program is for?

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [Disk Keeper] C:\WINNT\System32\Services\{8B45D9E5-F34E-482E-B4D7-9EDF680CFB96}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINNT\System32\Services\{8B45D9E5-F34E-482E-B4D7-9EDF680CFB96}\
C:\WINNT\System32\spoolsrv32.exe

Restart and run a new HijackThis scan. Save the log file and post it here.

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs...p?page=download. Learn how to use it at http://tds.diamondcs...?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs...php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.

[greyknight17]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.