Steve Posted February 17, 2005 Author Share Posted February 17, 2005 KD......First off, go to Add/Remove Programs and get rid of that Spyware Doctor program. It's cack and clearly doesn't work. Next, press Control/Alt/Delete to bring up the Task Manager. Click on the Processes tab and end these two processes if present: - a64sddd.exetxfdcd.exe Now run HijackThis again and check off ALL of the following: - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ario&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ario&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zpecialoffer.com/indexie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.zpecialoffer.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mrkd.co.uk/go/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ario&pf=desktop R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.zpecialoffer.com/indexie.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ario&pf=desktop O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [popuppers64] C:\WINDOWS\a64sddd.exe O4 - HKCU\..\Run: [LovqRSesW] txfdcd.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O15 - Trusted Zone: *.media-motor.net O15 - Trusted Zone: *.popuppers.com O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.qmdatabase.org/download/CfxIEAx.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab Make sure you close all browser windows then hit Fix Checked. Now you need to reboot, preferably into Safe Mode and locate these two files and delete them: - C:\WINDOWS\a64sddd.exe txfdcd.exe I'm not sure of the second one's location, but if you enable hidden files then search for it, you should find it, probably either in Windows or Windows\System32. Once you've done that, run Disc Cleanup from the System Tools section of the Start menu. Make sure you delete all your temporary files including emptying the Recycle Bin. Reboot again and your problem will be gone (hopefully!). Now all you need to do is start Internet Explorer, click Tools then Internet Options, the Programs tab then Reset Web Settings. Then click on the General tab and re-enter the homepage you would like. Finally, click on the Security tab, then the Internet Zone icon and make sure the security level has not been set to low by your infected files. If it has, move it back to the recommended level by clicking Default Level. Then you must click Apply then OK. If you go to http://www.java.com you'll find that an update is available for your Java installation too. Quote Link to comment Share on other sites More sharing options...
MrKD Posted February 17, 2005 Share Posted February 17, 2005 I understand now but only cos you guys have opened my eyes 2 something I should be taking more care of !!! Quote Link to comment Share on other sites More sharing options...
Guest Deeswift Posted February 17, 2005 Share Posted February 17, 2005 And yo, maybe CrapCleaner would help too: http://www.ccleaner.com Quote Link to comment Share on other sites More sharing options...
Steve Posted February 17, 2005 Author Share Posted February 17, 2005 I understand now but only cos you guys have opened my eyes 2 something I should be taking more care of !!! Yeah, you could slim down your system loads more. I don't generally tell people to remove stuff that's not related to spyware though (apart from the odd one or two things) cos I've had people complain that they liked to have certain programs starting when they boot up, but after following my suggestions, those programs don't start anymore. Really, you only need a firewall and your antivirus program starting. Anything else can be started manually, unless you really do use it constantly. There is one entry in your log I'm unsure about and that's this one: - O17 - HKLM\System\CCS\Services\Tcpip\..\{FA0C1F07-9AC4-4B3D-9ECC-EE5EA4D555E6}: NameServer = 62.241.162.200 158.43.240.3 The first IP address is this: - resolver1.systems.pipex.net Which is probably to do with your ISP. The second one though is this: - cache0005a.ns.eu.uu.net Seems a little odd, unless you know what that relates to. I wouldn't recommend fixing it unless you still have problems though. Quote Link to comment Share on other sites More sharing options...
MrKD Posted February 17, 2005 Share Posted February 17, 2005 Thank you to both Sig & Dee ... YOU WAS STARS IN A VERY DARK SKY LADS !!! Quote Link to comment Share on other sites More sharing options...
Steve Posted February 17, 2005 Author Share Posted February 17, 2005 No worries mate! Quote Link to comment Share on other sites More sharing options...
MrKD Posted February 17, 2005 Share Posted February 17, 2005 No worries mate!<{POST_SNAPBACK}> Dude .. now I C how much crap I`ve deleted & also how fast my machine has become I am really greatful ... And for anyone reading this = If you have not taken the advice within this post and not take up the offer that Sig is offering to check ya logs .. Ya 100% fukin Cuckoo .... Scarey what is out there !!! And I would not say I`m green 2 PC`s and tech stuff ... Sigma the life saver !!! Ya crown dude ! Quote Link to comment Share on other sites More sharing options...
alkatrazz Posted February 17, 2005 Share Posted February 17, 2005 hahaha tomorrow sigmas gonna have 100 + logs to check. but definitely thanks for all the help Sigma and Dee, save my ass from a whole bunch of problems I could have encountered or i did encounter Quote Link to comment Share on other sites More sharing options...
Guest Deeswift Posted February 17, 2005 Share Posted February 17, 2005 It's good to know DV is doing it's job, that's what we're here for innit, to help each other out. Well, that and call each other queers occasionally... Quote Link to comment Share on other sites More sharing options...
Mixologist Posted February 17, 2005 Share Posted February 17, 2005 we're here to help each other out? I'm here only because i have no friends. Quote Link to comment Share on other sites More sharing options...
$a!n+ Posted February 22, 2005 Share Posted February 22, 2005 HELP SIGMA! Logfile of HijackThis v1.99.1Scan saved at 2:28:07 PM, on 2/22/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ACS.exec:\Program Files\Common Files\Symantec Shared\ccSetMgr.exec:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\DVDRAMSV.exeC:\WINDOWS\system32\svchost.exec:\Toshiba\Ivp\Swupdate\swupdtmr.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeC:\Program Files\TOSHIBA\E-KEY\CeEKey.exeC:\Program Files\TOSHIBA\TouchPad\TPTray.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\Apoint2K\Apoint.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\toshiba\ivp\ism\pinger.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\WINDOWS\system32\RAMASST.exeC:\Program Files\Apoint2K\Apntex.exeC:\Program Files\Messenger\msmsgs.exeC:\Documents and Settings\Saint\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...ount_id=1001046R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...ount_id=1001046R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...ount_id=1001046R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: LT Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\system32\lmf32v.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exeO4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exeO4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /runO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [cwAO6] C:\WINDOWS\jwlyo.exeO4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exeO4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Tgpzvb.exeO4 - HKLM\..\Run: [ijrbbpd] C:\WINDOWS\ptcore.exeO4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Ekattu.exeO4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exeO8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTMLO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dllO12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.comO16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax.cabO16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cabO18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\system32\lmf32v.dllO23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exeO23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted February 23, 2005 Author Share Posted February 23, 2005 Fuck me. Viruses galore. I'm just looking through it now Gabe. Quote Link to comment Share on other sites More sharing options...
Steve Posted February 23, 2005 Author Share Posted February 23, 2005 OK mate. First off, go into Add/Remove Programs and remove the following: - Internet OptimizerWeb RebatesPower ScanYourSiteBar180Solutions Those may or may not all be there, but check carefully down the list. The names may be very slightly different from what I've typed too. Once you've done that, reboot. Now, run HijackThis again and check off all of the following (some of it may no longer be there after uninstalling some of the programs mentioned above): - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...ount_id=1001046 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...ount_id=1001046 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...ount_id=1001046 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll O2 - BHO: LT Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\system32\lmf32v.dll O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing) O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [cwAO6] C:\WINDOWS\jwlyo.exe O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Tgpzvb.exe O4 - HKLM\..\Run: [ijrbbpd] C:\WINDOWS\ptcore.exe O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Ekattu.exe O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe" O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax.cab O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\system32\lmf32v.dll Close ALL browser windows and hit Fix Checked. Reboot your PC into Safe Mode by tapping F8 as it's booting. Start Windows Explorer, not Internet Explorer, then hit Tools then Folder Options. Click on the View tab and make sure the following are set like this: - Show hidden files and folders (Selected)Hide extensions for known file types (NOT selected)Hide protected operating system files (Recommended) (NOT Selected) Then hit Apply then OK. Now, you must browse to these files and folders and delete them all if they exist: - C:\WINDOWS\nem220.dll C:\WINDOWS\jwlyo.exe C:\WINDOWS\ptcore.exe C:\WINDOWS\system32\Tgpzvb.exe C:\WINDOWS\system32\lmf32v.dll C:\WINDOWS\system32\Ekattu.exe C:\Program Files\Power Scan C:\Program Files\Web_Rebates C:\Program Files\Internet Optimizer C:\Program Files\YourSiteBar C:\Program Files\180solutions Next, run Disc Cleanup from the System Tools section of the Start Menu. Make sure you erase all temporary files. It might be an idea to also run Crap Cleaner at this point, which you can download HERE. Then reboot into regular Windows. Start Internet Explorer and hit Tools then Internet Options. Click on the Programs tab and hit Reset Web Settings, then hit the General tab and re-enter your desired homepage. Finally, click on the Security tab, Internet Zone icon, then make sure it's not been set to low - if it has, click on Default Level. Then hit Apply then OK. Sorted. Quote Link to comment Share on other sites More sharing options...
$a!n+ Posted February 23, 2005 Share Posted February 23, 2005 yeah, somehow I got them all at once I think. Quote Link to comment Share on other sites More sharing options...
$a!n+ Posted February 23, 2005 Share Posted February 23, 2005 thanx man! Quote Link to comment Share on other sites More sharing options...
Steve Posted February 23, 2005 Author Share Posted February 23, 2005 No worries mate. Your PC should be noticeably faster if you got everything. Post another log if you're not sure. Quote Link to comment Share on other sites More sharing options...
Jahli Posted February 23, 2005 Share Posted February 23, 2005 what i've got runnin right now Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\System32\Ati2evxx.exeC:\WINNT\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\System32\svchost.exeC:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exeC:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXEC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXEC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\Ati2evxx.exeC:\WINNT\Explorer.exeC:\Program Files\Common Files\Symantec Shared\SymTray.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\WINNT\System32\kxmixer.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exeC:\WINNT\System32\SNDVOL32.EXEC:\Program Files\Trillian\trillian.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\hijakthis\HijackThis.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted February 23, 2005 Author Share Posted February 23, 2005 Nothing dodgy at all there mate, although you really need to post the entire log. Norton runs 11 processes on your machine! Quote Link to comment Share on other sites More sharing options...
Jahli Posted February 23, 2005 Share Posted February 23, 2005 i read over it, just posting what i've got runnin to post. i've been run through the ringer with worms/trojans/viruses before so i've got a good handle on what needs to be there now. I run everything i can from norton and Adaware when i'm connected to the web,i disconnect my pc(even pull the cord out, call me paranoid now) and turn it all off when i'm working on production and the such. big ups for the look out Sig, seems like alot of heads needed it. that kinda help is priceless once you realise you might lose whatever work you haven't backed up(which seems to be way too much with most heads) Quote Link to comment Share on other sites More sharing options...
chile Posted March 1, 2005 Share Posted March 1, 2005 yo sig, this is my log... im guessing its riddled with shite.. Logfile of HijackThis v1.99.1Scan saved at 02:54:33, on 01/03/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exeC:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exeC:\WINDOWS\system32\wdfmgr.exeC:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exeC:\WINDOWS\System32\alg.exec:\program files\mcafee.com\agent\mcagent.exeC:\WINDOWS\system32\hkcmd.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Java\jre1.5.0_01\bin\jusched.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exeC:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exeC:\Program Files\Dell Support\DSAgnt.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Skype\Phone\Skype.exec:\progra~1\mcafee.com\vso\mcvsescn.exeC:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exeC:\Program Files\Webroot\Spy Sweeper\SpySweeper.exeC:\Program Files\Internet Explorer\iexplore.exec:\progra~1\mcafee.com\vso\mcvsftsn.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exeC:\DOCUME~1\chilean\LOCALS~1\Temp\~e5d141.tmpC:\DOCUME~1\chilean\LOCALS~1\Temp\~e5d141.tmpC:\WINDOWS\system32\svchost.exeC:\Program Files\Macromedia\Flash MX 2004\Flash.exeC:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeC:\Documents and Settings\chilean\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/mywayR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.karoo.co.uk/searchpage.aspR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.karoo.co.ukR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=317O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dllO2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINDOWS\system32\javafix3.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exeO4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeO4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktaskO4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exeO4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exeO4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"O4 - HKLM\..\Run: [mshelp32] C:\WINDOWS\system32\mshelp32.exeO4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exeO4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startupO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [tibs3] C:\WINDOWS\system32\tibs3.exeO4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /iconO4 - HKLM\..\RunOnce: [srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exeO4 - HKLM\..\RunOnce: [XoftSpy] "C:\Program Files\XoftSpy\XoftSpy.exe" -bO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startupO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [msjava critical update] c:\windows\jjfixer.exeO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKCU\..\Run: [sTManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -bO4 - HKCU\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0O4 - HKCU\..\RunOnce: [srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exeO4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exeO8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.ukO17 - HKLM\System\CCS\Services\Tcpip\..\{328E0D13-1275-4916-BF3B-E448C016DDB4}: NameServer = 212.50.160.100 213.249.130.100O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dllO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeO23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exeO23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exeO23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exeO23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted March 1, 2005 Author Share Posted March 1, 2005 It's a monster mate! Gimme 15 minutes or so to look at it and I'll post up what you should do. Quote Link to comment Share on other sites More sharing options...
chile Posted March 1, 2005 Share Posted March 1, 2005 lol k thanks alot for this m8 Quote Link to comment Share on other sites More sharing options...
chile Posted March 1, 2005 Share Posted March 1, 2005 oh yeh.. everynow an then i get an error saying that sol.exe has performed an error or something an it asks me if i want to send a report... it has a small picture of a woman from behind i never dloaded any of this shit... Quote Link to comment Share on other sites More sharing options...
Steve Posted March 1, 2005 Author Share Posted March 1, 2005 Right you have at least 3 nasty viruses in there including the RBot worm. The instructions are lengthy so print them off if you can. You can't have IE or any other browser open while using HijackThis to remove items. Download Crap Cleaner from HERE because you'll need it later. First off, go to Add/Remove Programs and uninstall XoftSpy. It's a fake spyware application that actually puts spyware on your machine. Also uninstall the MSN Toolbar. It's a massive resource hog. You're better off with the Google toolbar if you must use one at all. Finally, look for a program that's called MakeMeSearch or WhenUSearch (or something along those lines) and uninstall it - if you don't see anything like that, don't worry. Next, press Control/Alt/Delete to bring up the Task Manager. Click on the Processes tab and end these if present: - tfswctrl.exe~e5d141.tmp~e5d141.tmp.exe Now, run HijackThis again and put a checkmark next to all of the following (if present): - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.karoo.co.uk/searchpage.asp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.karoo.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=317 O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll O2 - BHO: (no name) - {A708A39C-8DA7-4e36-B3B0-0A1FFAFD4B6D} - C:\WINDOWS\system32\javafix3.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe" O4 - HKLM\..\Run: [mshelp32] C:\WINDOWS\system32\mshelp32.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\system32\tibs3.exe O4 - HKLM\..\RunOnce: [srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe O4 - HKLM\..\RunOnce: [XoftSpy] "C:\Program Files\XoftSpy\XoftSpy.exe" -b O4 - HKCU\..\Run: [msjava critical update] c:\windows\jjfixer.exe O4 - HKCU\..\RunOnce: [srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe O14 - IERESET.INF: START_PAGE_URL=http://www.karoo.co.uk Make sure no browser windows are open and hit Fix Checked. Reboot your PC and tap F8 as it's starting up. When the boot menu appears, select Safe Mode and your machine will start. Start Windows Explorer, not Internet Explorer, then hit Tools then Folder Options. Click on the View tab and make sure the following are set like this: - Show hidden files and folders (Selected)Hide extensions for known file types (NOT selected)Hide protected operating system files (Recommended) (NOT Selected) Then hit Apply then OK. Now, you must browse to these files and folders and delete them all if they exist: - C:\WINDOWS\system32\dla C:\Program Files\MSN Apps C:\Program Files\XoftSpy C:\WINDOWS\system32\javafix3.dll C:\WINDOWS\system32\mshelp32.exe C:\WINDOWS\system32\tibs3.exe C:\WINDOWS\System32\spoolsrv32.exe C:\WINDOWS\jjfixer.exe C:\DOCUME~1\chilean\LOCALS~1\Temp\~e5d141.tmp Now, run Disc Cleanup from the System Tools section of your Start Menu. Make sure you delete all temporary files, including the Recycle Bin. Then run Crap Cleaner to remove any other remaining temporary files. Reboot your PC into regular Windows. Start Internet Explorer and hit Tools then Internet Options. Click on the Programs tab and hit Reset Web Settings, then hit the General tab and re-enter your desired homepage. Finally, click on the Security tab, Internet Zone icon, then make sure it's not been set to low - if it has, click on Default Level. Then hit Apply then OK. You should be OK at this point. Perhaps post another log to make sure none of the viruses changed names and reappeared. I'd recommend ditching McAfee for Kaspersky and using Sygate Pro as your firewall, rather than relying on the XP one. Not only will this speed up your system (McAfee runs many processes at once), it will also offer you far better protection. PM me and I can hook you up with these if you choose to do that. Best of luck mate! Quote Link to comment Share on other sites More sharing options...
Guest Deeswift Posted March 1, 2005 Share Posted March 1, 2005 oh yeh.. everynow an then i get an error saying that sol.exe has performed an error or something an it asks me if i want to send a report... it has a small picture of a woman from behind stare.gif i never dloaded any of this shit... LOL! Oh man that's funny but obviously you got something nasty. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.