|
|
blessa
regular
Reg'd: Sun
Posts: 26
|
|
I hope someone wanna take a look at this log. What I know, is that I have searcweb2 and ads1revenue (or what it's called..).
A friend of me thinks I have a trojan horse on my computer... I hope not! 
Logfile of HijackThis v1.99.1
Scan saved at 15:28:35, on 05.09.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\Programfiler\Fellesfiler\New Boundary\PrismXL\PRISMXL.SYS
C:\Programfiler\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programfiler\Digital Media Reader\shwiconem.exe
C:\Programfiler\filer\CyberLink\PowerDVD\PDVDServ.exe
C:\Programfiler\Creative\Shared Files\CAMTRAY.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Internet Explorer\iexplore.exe
c:\progra~2\intern~1\iexplore.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\Config2500.exe
C:\Programfiler\Wireless LAN Utility\SiWake.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\Wireless LAN Utility\SiSCFG.exe
C:\WINDOWS\explorer.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.esnwrkjicdqrmxrccsoxneqwu.inf...A9Bez5PcPdc.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://blessa.proboards29.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {592275AD-16A8-CB70-2397-87B7A0205E60} - C:\DOCUME~1\ANDREA~1\PROGRA~1\DaleLog\once grim.exe
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.4000.1001\no\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Programfiler\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\filer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programfiler\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Gnetmous] C:\Programfiler\KYE\Genius Wireless Optical Mouse\gnetmous.exe
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\PROGRA~2\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~2\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Msn Configuration Loader] msngms.exe
O4 - HKLM\..\Run: [BITS DUPE PING BOWS] C:\Documents and Settings\All Users\Programdata\cdrom software bits dupe\oncechic.exe
O4 - HKLM\..\RunServices: [Msn Configuration Loader] msngms.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Jump Mix] C:\DOCUME~1\ANDREA~1\PROGRA~1\OBJLIC~1\Window mfcd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Msn Configuration Loader] msngms.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Config2500.lnk = C:\WINDOWS\system32\Config2500.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SiWake.lnk = C:\Programfiler\Wireless LAN Utility\SiWake.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkCnv.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O16 - DPF: {EDAF796E-9210-4417-ADDC-2AB18E4F6C27} (Hjemmeside.KvikFoto) - http://www.123hjemmeside.dk/builder/pages/KvikFoto.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Programfiler\Fellesfiler\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~2\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
|
|
John_McKenna
HijackThis Helper
Reg'd: Wed
Posts: 7430
Loc: England
|
|
Hi blessa and welcome to Webuser.
You have two problems here. The Kelvir worm which probably arrived via MSN Messenger and a Lop adware/hijacker which is commonly bundled with a program called Messenger Plus (which I'm presuming you've since removed).
We'll deal with the Kelvir worm first.
Download the KELVIR REMOVAL TOOL.
Close all the running programs and disconnect the computer from the internet.- Double-click the FxKelvir.exe file to start the removal tool.
- Click Start to begin the process, and then allow the tool to run.
- Restart the computer.
- Run the removal tool again to ensure that the system is clean.
- Reboot and post a fresh HJT log in this thread please.
** Please also confirm whether you've uninstalled Messenger Plus recently and also how many user accounts this machine has please.
** I'd also like you run the below file through Jotti's Malware Scan. Just paste the entire filepath into the Submit box at the top and paste the results back here please. 
C:\WINDOWS\system32\Config2500.exe
--------------------
.
Click here before posting a HijackThis Log - Important !!
My Site
Edited by John_McKenna (Mon Sep 05 2005 10:58 PM)
|
blessa
regular
Reg'd: Sun
Posts: 26
|
|
The Kelvir worm was removed successfully
** I uninstalled messenger plus for a long time ago. I have just 1 user account on this computer.
This is the result of HJT:
Logfile of HijackThis v1.99.1
Scan saved at 15:04:00, on 07.09.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\Programfiler\Fellesfiler\New Boundary\PrismXL\PRISMXL.SYS
C:\Programfiler\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programfiler\Digital Media Reader\shwiconem.exe
C:\Programfiler\filer\CyberLink\PowerDVD\PDVDServ.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\Config2500.exe
C:\Programfiler\Wireless LAN Utility\SiWake.exe
C:\Programfiler\Internet Explorer\iexplore.exe
c:\progra~2\intern~1\iexplore.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.esnwrkjicdqrmxrccsoxneqwu.inf...A9Bez5PcPdc.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {592275AD-16A8-CB70-2397-87B7A0205E60} - C:\DOCUME~1\ANDREA~1\PROGRA~1\DaleLog\once grim.exe
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.4000.1001\no\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Programfiler\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\filer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programfiler\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Gnetmous] C:\Programfiler\KYE\Genius Wireless Optical Mouse\gnetmous.exe
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\PROGRA~2\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~2\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BITS DUPE PING BOWS] C:\Documents and Settings\All Users\Programdata\cdrom software bits dupe\oncechic.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Jump Mix] C:\DOCUME~1\ANDREA~1\PROGRA~1\OBJLIC~1\Window mfcd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Config2500.lnk = C:\WINDOWS\system32\Config2500.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SiWake.lnk = C:\Programfiler\Wireless LAN Utility\SiWake.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkCnv.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O16 - DPF: {EDAF796E-9210-4417-ADDC-2AB18E4F6C27} (Hjemmeside.KvikFoto) - http://www.123hjemmeside.dk/builder/pages/KvikFoto.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Programfiler\Fellesfiler\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~2\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
This is the result of Jottis Malware Scan:
File: Config2500.exe
Status: OK
MD5 7f07f863ed9e881fc7fb1ddae9aa907a
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
|
blessa
regular
Reg'd: Sun
Posts: 26
|
|
I just looked through the HJT log and saw something with "azesearch". It's quite annoying. I want it removed! I have never installed it, it came on its own.
And by the way: What is Bigfix?
Edited by blessa (Wed Sep 07 2005 02:56 PM)
|
John_McKenna
HijackThis Helper
Reg'd: Wed
Posts: 7430
Loc: England
|
|
BigFix can automatically download and read technical support information provided by computer and software manufacturers and other technical support experts (published in the form of Fixlet® Messages) and can automatically check your computer for bugs, configuration conflicts, and security holes. Should only be started manually as it's a resource hog.
Step 1
Configure Windows to Show all hidden files & folders and ensure you're familiar with rebooting into Safe Mode.
Download & install Cleanup! from here.
Download the Lop uninstaller from here to your desktop.
(if your anti-virus detects trojan swizzor, please ignore it and download regardless, it is not harmful!)
Copy the below steps to notepad, close Internet Explorer and disconnect from the internet.
Step 2
Run HJT again and checkmark the boxes next to the following:-
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.esnwrkjicdqrmxrccsoxneqwu.inf...A9Bez5PcPdc.asp
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: (no name) - {592275AD-16A8-CB70-2397-87B7A0205E60} - C:\DOCUME~1\ANDREA~1\PROGRA~1\DaleLog\once grim.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\PROGRA~2\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: [BITS DUPE PING BOWS] C:\Documents and Settings\All Users\Programdata\cdrom software bits dupe\oncechic.exe
O4 - HKCU\..\Run: [Jump Mix] C:\DOCUME~1\ANDREA~1\PROGRA~1\OBJLIC~1\Window mfcd.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
Close ALL OPEN WINDOWS/BROWSERS and click Fix Checked
Step 3
Start CleanUp! and do the following:
Click the Options button.
Make sure only the following are checked:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files (XP only)
- Scan local drives for temporary files
- Cleanup! All Users
Click the Ok button to close the Options dialog.
Click the CleanUp! button to begin cleaning. It may take a while depending on the size of the hard drive so be patient.
When it has finished, close CleanUp! but decline to logoff when prompted.
Warning: Cleanup removves EVERYTHING in your temp/temporary folders. If you have any programs or saved work in them, please save it to another location before running Cleanup.
Step 4
Please now reboot into Safe Mode and delete the following folders in bold:
C:\Documents and Settings\ANDREA~1\PROGRA~1\OBJLIC~1\Window mfcd.exe
C:\Documents and Settings\ANDREA~1\PROGRA~1\DaleLog\once grim.exe
C:\PROGRAM FILES\DESKMATE\DeskMateAutoUpdate.exe
C:\Documents and Settings\All Users\Programdata\cdrom software bits dupe\oncechic.exe
Then run the Lop uninstaller.
Step 5
Reboot and run any of the following online virus scans (saving the scan report when complete):
Kasperskey Online
Panda ActiveScan
Trend Micro (Europe)
Step 6
Then post a fresh HJT log after rebooting along with the online scan results.
.
--------------------
.
Click here before posting a HijackThis Log - Important !!
My Site
|
blessa
regular
Reg'd: Sun
Posts: 26
|
|
I think I've got some problems here.. 
I did step 1-3 and began on step 4. I started the computer in Safe Mode. And then the problem started. My computer wouldn't let me delete this file:
C:\PROGRAM FILES\DESKMATE\DeskMateAutoUpdate.exe
Still in Safe Mode I needed to run the Lop uninstaller, but I couln't see the numbers... What should I do now? I can see the numbers in Normal Mode. But i haven't run the Lop uninstaller yet, 'cause I wanted to know if it was so important to delete this file above? Or should i just keep on doing the steps?
After I deleted the files I could delete, I sam that some of the icons on the desktop(?) has disappeared It was the icons who was annoying me. Icons like "Free mobile ringtones", "Play poker online" etc. The annoying toolbar has also disappeared 
|
John_McKenna
HijackThis Helper
Reg'd: Wed
Posts: 7430
Loc: England
|
|
Run the Lop uninstaller in normal mode please.
Reboot and post a fresh log.
Please also post a HijackThis Uninstall list.
To do this:
Open HijackThis
Click 'Config' (bottom right)
Click 'Misc Tools'
Click 'Open Unistall Manager'
A list of the entries in Add/remove programs will appear.
Click on Save List...
The list will be saved as 'Uninstall_list.txt'
Copy & Paste the contents in your next reply.
--------------------
.
Click here before posting a HijackThis Log - Important !!
My Site
|
blessa
regular
Reg'd: Sun
Posts: 26
|
|
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, September 10, 2005 11:59:16
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 10/09/2005
Kaspersky Anti-Virus database records: 139658
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\ANDREA~1\LOKALE~1\Temp\
Scan Statistics:
Total number of scanned objects: 17309
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 38603 sec
No malware has been detected. The sections that have been scanned are CLEAN.
Scan process completed.
802.11b USB Wireless LAN Adapter
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Reader 6.0.1 - Norsk
BearShare
BigFix
BitLord 1.1
CC_ccStart
ccCommon
CleanUp!
Creative MediaSource
Creative WebCam Center
Creative WebCam Instant Driver (1.00.08.0416)
Creative WebCam Instant User's Guide (English)
Digital Media Reader
Eye Candy 4000
Genius Wireless Optical Mouse
HijackThis 1.99.1
ImageMixer VCD2
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
J2SE Runtime Environment 5.0 Update 2
Jasc Paint Shop Pro 8
Java 2 Runtime Environment, SE v1.4.2_05
Kaspersky On-line Scanner
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player
Macromedia Shockwave Player
Media Library Management Wizard
Microsoft .NET Framework 1.1
Microsoft FrontPage 2002
Microsoft Office 2003 Web Components
Microsoft Office Professional Edition 2003
Microsoft Office XP Web Components
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
MSN Messenger 7.5
MSN-verktøylinjen
MSRedist
Multimedia Keyboard Driver
Nero BurnRights
Nero OEM
NOMAD MuVo TX
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton WMI Update
Oppdatering for Windows XP (KB894391)
Oppdatering for Windows XP (KB896727)
Oppdatering for Windows XP (KB898461)
Personal License Update Wizard for Windows Media Player
Plus! MP3 Audio Converter LE
PowerDVD
Sikkerhetsoppdatering for Windows XP (KB883939)
Sikkerhetsoppdatering for Windows XP (KB890046)
Sikkerhetsoppdatering for Windows XP (KB893756)
Sikkerhetsoppdatering for Windows XP (KB896358)
Sikkerhetsoppdatering for Windows XP (KB896422)
Sikkerhetsoppdatering for Windows XP (KB896423)
Sikkerhetsoppdatering for Windows XP (KB896428)
Sikkerhetsoppdatering for Windows XP (KB899587)
Sikkerhetsoppdatering for Windows XP (KB899588)
Sikkerhetsoppdatering for Windows XP (KB899591)
Sikkerhetsoppdatering for Windows XP (KB901214)
Sikkerhetsoppdatering for Windows XP (KB903235)
Skype 1.3
Sony USB Driver
Spybot - Search & Destroy 1.4
Symantec Script Blocking Installer
SymNet
ToolbarCounter
Webshots Desktop
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Bonus Pack for Windows XP
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows XP hurtigreparasjon - KB867282
Windows XP hurtigreparasjon - KB873333
Windows XP hurtigreparasjon - KB873339
Windows XP hurtigreparasjon - KB885250
Windows XP hurtigreparasjon - KB885835
Windows XP hurtigreparasjon - KB885836
Windows XP hurtigreparasjon - KB885884
Windows XP hurtigreparasjon - KB886185
Windows XP hurtigreparasjon - KB887472
Windows XP hurtigreparasjon - KB887742
Windows XP hurtigreparasjon - KB888113
Windows XP hurtigreparasjon - KB888302
Windows XP hurtigreparasjon - KB890047
Windows XP hurtigreparasjon - KB890175
Windows XP hurtigreparasjon - KB890859
Windows XP hurtigreparasjon - KB890923
Windows XP hurtigreparasjon - KB891781
Windows XP hurtigreparasjon - KB893066
Windows XP hurtigreparasjon - KB893086
Wireless LAN Card
Wireless LAN Utility
|
John_McKenna
HijackThis Helper
Reg'd: Wed
Posts: 7430
Loc: England
|
|
I recommend you uninstall Bearshare if it's the free version as it contains spyware.
See HERE for clean alternatives.
Can you post a new HJT log please?
--------------------
.
Click here before posting a HijackThis Log - Important !!
My Site
|
blessa
regular
Reg'd: Sun
Posts: 26
|
|
Which downloading-program should I usev then? I've always used BearShare. And I need a downloading-program. I want a free one.
I also have BitLord. But I need some help to understand it. This isn't the right forum to ask about that kind of help, i guess.
Edited by blessa (Sun Sep 11 2005 03:08 PM)
|
John_McKenna
HijackThis Helper
Reg'd: Wed
Posts: 7430
Loc: England
|
|
I posted a link for spyware free p2p programs in my last reply. Take your pick.
As fas as help with them is concerned, I'm afraid I don't use them and Webuser (although happy to point people in the right direction) do not actively offer help with their usage. Although they have legitimate uses, we know that 99.9% of people use them for downloading music/films illegally 
These programs always have forums. I suggest you look there for help.
Can you post a fresh HijackThis log please so I can confirm you're now clean please?
.
--------------------
.
Click here before posting a HijackThis Log - Important !!
My Site
|
blessa
regular
Reg'd: Sun
Posts: 26
|
|
Logfile of HijackThis v1.99.1
Scan saved at 21:22:54, on 11.09.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programfiler\Digital Media Reader\shwiconem.exe
C:\Programfiler\filer\CyberLink\PowerDVD\PDVDServ.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\WINDOWS\system32\Config2500.exe
C:\Programfiler\Wireless LAN Utility\SiWake.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\Programfiler\Fellesfiler\New Boundary\PrismXL\PRISMXL.SYS
C:\Programfiler\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programfiler\Wireless LAN Utility\SiSCFG.exe
C:\Programfiler\Windows Media Player\wmplayer.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.4000.1001\no\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Programfiler\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\filer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programfiler\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Gnetmous] C:\Programfiler\KYE\Genius Wireless Optical Mouse\gnetmous.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~2\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Jump Mix] C:\DOCUME~1\ANDREA~1\PROGRA~1\OBJLIC~1\Window mfcd.exe
O4 - Global Startup: Config2500.lnk = C:\WINDOWS\system32\Config2500.exe
O4 - Global Startup: SiWake.lnk = C:\Programfiler\Wireless LAN Utility\SiWake.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkCnv.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {EDAF796E-9210-4417-ADDC-2AB18E4F6C27} (Hjemmeside.KvikFoto) - http://www.123hjemmeside.dk/builder/pages/KvikFoto.CAB
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~2\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Programfiler\Fellesfiler\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~2\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
|
John_McKenna
HijackThis Helper
Reg'd: Wed
Posts: 7430
Loc: England
|
|
Remove this entry with HijackThis:
O4 - HKCU\..\Run: [Jump Mix] C:\DOCUME~1\ANDREA~1\PROGRA~1\OBJLIC~1\Window mfcd.exe
Then delete the following folder if found:
C:\Documents and Settings\ANDREA~1\PROGRA~1\OBJLIC <--starting with these 6 letters.
Reboot and post a fresh log.
How's the machine running now?
--------------------
.
Click here before posting a HijackThis Log - Important !!
My Site
|
blessa
regular
Reg'd: Sun
Posts: 26
|
|
The machine is running faster, and I haven't got any pop-ups either  '
I found the folder, and deleted it.
And by the way; I uninstalled BearShare and installed DC ++
Logfile of HijackThis v1.99.1
Scan saved at 13:58:41, on 13.09.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\Programfiler\Fellesfiler\New Boundary\PrismXL\PRISMXL.SYS
C:\Programfiler\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programfiler\Digital Media Reader\shwiconem.exe
C:\Programfiler\filer\CyberLink\PowerDVD\PDVDServ.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\WINDOWS\system32\Config2500.exe
C:\Programfiler\Wireless LAN Utility\SiWake.exe
C:\Programfiler\Wireless LAN Utility\SiSCFG.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\DC++\DCPlusPlus.exe
C:\Programfiler\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~2\Webshots\webshots.scr
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.4000.1001\no\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Programfiler\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\filer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programfiler\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Gnetmous] C:\Programfiler\KYE\Genius Wireless Optical Mouse\gnetmous.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~2\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Config2500.lnk = C:\WINDOWS\system32\Config2500.exe
O4 - Global Startup: SiWake.lnk = C:\Programfiler\Wireless LAN Utility\SiWake.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - <a href="res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000" target="_blank">res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000</a>
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkCnv.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {EDAF796E-9210-4417-ADDC-2AB18E4F6C27} (Hjemmeside.KvikFoto) - http://www.123hjemmeside.dk/builder/pages/KvikFoto.CAB
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~2\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Programfiler\Fellesfiler\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~2\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
Edited by blessa (Tue Sep 13 2005 01:01 PM)
|
John_McKenna
HijackThis Helper
Reg'd: Wed
Posts: 7430
Loc: England
|
|
I missed one which needs to go.
Remove this with HijackThis:
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
Then delete C:\Windows\System32\ShowWnd.exe (in safe mode if necessary).
If you don't find it there, look in C:\Windows for it.
Reboot and post a fresh log.
--------------------
.
Click here before posting a HijackThis Log - Important !!
My Site
|
blessa
regular
Reg'd: Sun
Posts: 26
|
|
I removed the file from HJT.
But I couldn't find ShowWnd.exe where you told me. I found it here: C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy\Recovery\ShowWnd.zip
Should I delete this?
|
John_McKenna
HijackThis Helper
Reg'd: Wed
Posts: 7430
Loc: England
|
|
You can if you like, but that looks like your Spybot quarantine (despite it being installed to a different location than usual). If must have just been an orphaned entry left in your log.
Now that you're clean again, please follow these simple steps to keep yourself safe and secure in the future.
Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and renable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to disable and renable system restore here:
Windows XP System Restore Guide
or
Managing Windows Millenium System Restore
Renable system restore with instructions from the tutorial above.
Clean out ALL Temp Files
This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:
Step 1: Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.
This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.
Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the 'Delete Files' button and put a checkmark in 'Delete Offline Content'. Then press the OK button. This may take quite a while, so don't be alarmed if it takes a while.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:
Simple and easy ways to keep your computer safe and secure on the Internet
Safe Surfing
HJM
--------------------
.
Click here before posting a HijackThis Log - Important !!
My Site
|
blessa
regular
Reg'd: Sun
Posts: 26
|
|
I couldn't delete the DAT-file called Perflib_Perfdata_a0c . It was in the step about deleting temp-files. I rebooted in Safe Mode, but the folder with temp-files was empty. So I rebooted in normal mode again. And the file was still there...
But now I want to say: Thank you so much for all the help!! I didn't know that I had so much trash on my computer...!
As you know, you told me to install some programs on my machine, like lopremover, FxKelvir, CleanUp and some more... Which of the programs can I uninstall now? And which antivirus, adware-programs etc do you suggest to have/install on my computer? I already have Ad-Aware, Norton Antivirus (I don't feel like it work so well, even if I use it every day and update it more than once a week.. Do you recommend an other antivirus-program instead?), HiJackThis and Spybot S&D. Do you think I need any more? I also use WinXP SP2 firewall.
|
John_McKenna
HijackThis Helper
Reg'd: Wed
Posts: 7430
Loc: England
|
|
Don't worry about that item in the temp folder, it's harmless.
I think most of the problems you've experienced were probably down to yourself if I was brutally honest and nothing to do with Norton's capabilities as an Anti-Virus solution. You installed the Lop adware by not reading the license agreement for Messenger plus and p2p programs are always dangerous. The files you download and with these programs and sometimes the sites you get them from are crawling with malware.
I'd certainly get yourself a proper firewall and ditch the SP2 offering (which only blocks incoming traffic). You'll find some excellent free protection here including firewalls and alternate AV solutions if you decide to ditch Norton. For the ultimate AV though, look no further than NOD32 which I can personally recommend if you wish to purchase another solution.
You can delete the other tools I asked you to download but suggest you keep Cleanup!. It's a damn handy tool which should be used on a regular basis. Also install SpywareBlaster which you'll find a link to in the tutorial I posted in my last reply. You'll be more than protected then.
I run NOD32, Kerio firewall, SpywareBlaster, Ad-Aware, Spybot and Cleanup which I update once a week.
--------------------
.
Click here before posting a HijackThis Log - Important !!
My Site
|
blessa
regular
Reg'd: Sun
Posts: 26
|
|
I cant open Nero StartSmart or any Neroprograms which was installed om my machen when I bought it!! It worked befor I got help from you! Now I can't use it anymore! I get a message where it says something like: U can't use this program, 'cause it's programconfiguration is wrong. U can solve this problem by install the program once more.
I DON'T have any installation-cd's or anything, 'cause I bought the machine with Nero!
I also can't use Microsoft Office Word! The message says: "An error occcured and this feature is no longer functioning properly."
I got all these problems after u helped me with HJT! Have u done something wrong?
I NEED HELP QUICKLY!!!!
|
blessa
regular
Reg'd: Sun
Posts: 26
|
|
I'm pissed off!!!! What have you done with my computer???
Whn I start it up, it just stops right before it's "Welcome...(?)"!!!!!! HELP ME, PLEASE!!!
|
John_McKenna
HijackThis Helper
Reg'd: Wed
Posts: 7430
Loc: England
|
|
I'm sorry to here you are having problems blessa but loosing your temper with me won't help matters. I instructed you to remove malware ONLY from your machine and nothing else.
We haven't used any anti-spyware programs either so any files you've removed, have been done so manually. Maybe you've deleted the wrong files?
On the 13th September, everything was running smoothly. Three days later you complained of programs not working and now the machine won't even boot up......
The boot up problem would have come to light immediately if it had anything to do with the instructions I gave you so I'm inclined to believe it's a problem with Windows which has since arisen. That or you've managed to pick up another infection.
1. Can you boot the machine up into Safe Mode? If so, post a fresh HijackThis log please.
2. Have you installed any new software/hardware since the 13th?
3. Have you downloaded anything with a p2p program since the 13th?
4. Have you received any error messages like the one below?
"Windows cannot find [file name]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."
* Please remember blessa that I do have a life outside of this forum (well, sometimes lol) so if I don't reply immediately there's a good chance I might be living it. If you want an immediate solution, I suggest you take the machine to a shop and have it formatted and Windows reinstalled. I'm prepared to still offer my FREE help though if you promise to be nice to me.
Your call........
.
--------------------
.
Click here before posting a HijackThis Log - Important !!
My Site
|
blessa
regular
Reg'd: Sun
Posts: 26
|
|
Sorry... I didn't mean to yell at you....
1. I can't boot my machine into any kind of mode...
2. I installed Kerio firewall... I can't remember if I installed anything more than that..
But I runned Cleanup. When it was finished I rebooted the machine to make Cleanup finish doing its work. And then the problem started! I couldn't start my computer!  I had plans about burning My Documents to a dvd after Cleanup was finished.. But now i have lost almost everything since June! :O And that's MUCH photos from my digital camera!! :'(
3. I'm not sure what a p2p-program is...
4. No, I donæt think so...
I appreciate your help very much!!
|
John_McKenna
HijackThis Helper
Reg'd: Wed
Posts: 7430
Loc: England
|
|
I asked you to run Cleanup on the 8th Sept. In your subsequent posts since then, you mentioned nothing about these problems until the 16th. In fact you commented on several occassions how well the machine was running.....
Cleanup only does the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files (XP only)
- Scan local drives for temporary files
- Cleanup! All Users
It does not delete valuable system files that would cause the type of problems you're experiencing now.
Do you have a XP cd or boot disk?
Can you be a little bit more specific about what happens when the machines fails to boot. When you get to the Welcome screen, what exactly happens? Do you get an error message of some description or does the machine just die without warning?
.
--------------------
.
Click here before posting a HijackThis Log - Important !!
My Site
|
blessa
regular
Reg'd: Sun
Posts: 26
|
|
I've got all my stuff back again I did everything on my own. I'm a bit proud now;) Just 15 years old. I did system recovering by some cd's I made a time ago!
Sorry for yelling and shouting and being unpolite! I guess it's the hormones...
Thank's for all the help! I have a full clean computer now. And are going to install anti-virus program now, after writing this:) The first I wanted to do when I fixed my machine, was telling you that everything is excellent now..!
|
John_McKenna
HijackThis Helper
Reg'd: Wed
Posts: 7430
Loc: England
|
|
Great news blessa, I'm glad you sorted it out yourself, well done.
.
--------------------
.
Click here before posting a HijackThis Log - Important !!
My Site
|
blessa
regular
Reg'd: Sun
Posts: 26
|
|
Thank you so much!
I need a little more help... I have installed Keriop firewall, but it just blocks internet explorer and msn... In the middletime I use windows firewall... I don't know how what to do, so Kerio don't block internet explorer and msn...
|
John_McKenna
HijackThis Helper
Reg'd: Wed
Posts: 7430
Loc: England
|
|
Right click on the Kerio system tray icon and select Configuration.
Click on the Network Security tab on the left.
Scroll down the list and change the permissions (right click on each) and set as follows:
Internet Explorer:- Trusted (In) = Ask
- Trusted (Out) = Permit
- Internet (In) = Ask
- Internet (Out) = Permit
MSN Messenger:- Trusted (In) = Ask
- Trusted (Out) = Permit
- Internet (In) = Ask
- Internet (Out) = Permit
- Click Apply > OK
Sorted?
--------------------
.
Click here before posting a HijackThis Log - Important !!
My Site
|
blessa
regular
Reg'd: Sun
Posts: 26
|
|
It isn't any Internet Explorer or MSN Messenger in the Network Security. Not even when it's in use.
What should I do. In the meanwhile I'm using Windows sp2 firewall. It doesn't protect my computer very well. I need help as quick as you can!
|
John_McKenna
HijackThis Helper
Reg'd: Wed
Posts: 7430
Loc: England
|
|
In that case you must have the Application Behaviour blocker set to stop the .exe's associated with those programs from launching in the first place.
Right-click the Kerio icon in the system tray and select Configuration
Select the Intrusions tab on the left.
You now have the choice of completely disabling this blocking feature by removing the check from the "Enable Application Behaviour Blocking" checkbox or individually removing the block for each application by clicking the Advanced button beneath and then making the necessary adjustments on the Settings and Applications tabs.
Sorted?
--------------------
.
Click here before posting a HijackThis Log - Important !!
My Site
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
