Jump to content

Build Theme!
  •  
  • Infected?

big grin WE'RE SURE THAT YOU'LL LOVE US!

We invite you to ask questions, share experiences, and learn. It's 100% free. Did we mention that it's free. It is. It's free. Join 91459 other members! Anybody can ask, anybody can answer. Consistently helpful members with best answers are invited to staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hjt Log Please Advise


  • This topic is locked This topic is locked
8 replies to this topic

#1 deedub

deedub

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 27 January 2005 - 08:35 PM

Log following thank you in advance..

Logfile of HijackThis v1.99.0
Scan saved at 9:23:14 PM, on 1/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system\libac.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\STK014\STK014M.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
E:\Downloads\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://everquest.allakhazam.com/
O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\ALLUSE~1.DHJ\LOCALS~1\Temp\cabil.dat
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\rtfyx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [*libac] C:\WINDOWS\system\libac.exe rerun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] E:\Games\steam\\Steam.exe -silent
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: STK014 PNP Monitor.lnk = ?
O4 - Global Startup: winlogin.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106693056513
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9F6D8A59-DD92-499D-944A-38FDB2CE46FF} (Napster download control v2.0) - http://sms.napster.c.../npdownload.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://eq2beta.stati.../soesysinfo.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6212EE0C-A769-4140-A2B2-00AFCD872684}: NameServer = 205.152.37.254 205.152.132.235
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server - Unknown - C:\WINDOWS\Nhksrv.exe
O23 - Service: Intel® NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


thanks

    Advertisements

Register to Remove


#2 Elrond

Elrond

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 733 posts
  • Interests:Skiing

Posted 31 January 2005 - 02:11 PM

Hi deedub Welcome to Tom Coyote Forums. I'm looking over your log file and will get back to you soon. Elrond
Windows Security 2006-2007
Consumer Security 2008-2009


Trained at TC Classroom (The forerunner to WTT Classroom)

#3 Elrond

Elrond

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 733 posts
  • Interests:Skiing

Posted 31 January 2005 - 05:58 PM

Hi there, deedub

Instructions:

Should you need instructions for:
Showing hidden files and folders in Windows.
Reboot in safe mode. If you have a keyboard with a "F Lock" key click it so that the "F" light above it is on when you start tapping the "F8" key.
How to print the fix instructions
Click the underlined links above.

How to unzip a downloaded zip file.
Place the zip file in the folder where you want the unzipped program to be.
If you are running Windows XP you simply right click the zip file and select extract here.
For the other versions of Windows you will need a program like 7-Zip . Open 7-Zip. Navigate to to the downloaded zipfile and highlight it. Right click and select "Extract Here"

When asked to post a new HijackThis log please
Close all windows and browsers.
Find the HijackThis folder. Open it and double click "HijackThis.exe". Click "Do a system scan" and save a "logfile". (If Hijack this shows you a "Scan" button instead of "Do a system scan" that is OK. Just click it.)
When the scan is finished, the "Scan" button will change into a "Save Log" button. Click it. Click "Ctrl-A" (the "Ctrl" key and the "A" key at the same time) to highlight the whole log. Now click "Ctrl-C" to copy the text. Open this topic and click the "Add Reply" button at the bottom of the page. Paste the log into the window that opens up by clicking "Ctrl-V". Click "Add Reply" to post.


Preliminaries:

1. Please copy the instructions to a notepad or preferably print them.

2. Make sure to work through the fixes exactly as given and in the exact order they are mentioned below.

3. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.


Start the cleanup:


4. Click here to download CWShredder. Run it. Click 'fix' as opposed to 'scan only'. Reboot when done

5. Download Killbox.zip here
Extract it from the zip file.

Double-click on Killbox.exe to run it. In the 'Paste Full Path of File to Delete' box, copy and paste this entry:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
Select "Delete on Reboot". Then click the the white X in the red circle. Click yes in the first dialog box to delete at reboot. Click yes at the second dialog box to force a reboot.

6. Open HiJackThis, click "Open the Misc Tools Section", and click "Open process manager". Highlight C:\WINDOWS\system\libac.exe if it is there and click "kill Process". Do not kill any other process
Close HijackThis.

7. Open HijackThis and click "Do a System Scan Only". (If HijackThis shows a "Scan" button instead of "Do a System Scan Only" that is OK. In that case click "Scan".) When the scan is finished put a check mark by the items that are listed in bold below. If you can not find an item, that is OK. Just continue but inform me with your next post. Do not click fix until instructed to do so:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://everquest.allakhazam.com/
O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\ALLUSE~1.DHJ\LOCALS~1\Temp\cabil.dat
O4 - HKLM\..\RunOnce: [*libac] C:\WINDOWS\system\libac.exe rerun
O4 - Global Startup: winlogin.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://x.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)


The following are recommended fixes:
Place a check against the following items:

O16 - DPF: {9F6D8A59-DD92-499D-944A-38FDB2CE46FF} (Napster download control v2.0) - http://sms.napster.c.../npdownload.cab

The following items are OPTIONAL and can be fixed by putting a check mark by each line. By fixing it you can shorten boot-up time and free up resources. You will not harm your program by doing this and you will still be able to start it manually via the start-button. It is your choice, so you must decide whether you want to get rid of it or not.

You have PowerReg Scheduler in your log. This is a registration reminder that is used by a number of different companies. It is not needed and some people think that it reports back to the company about your computer, so I suggest fixing it.
O4 - Startup: PowerReg Scheduler V3.exe

These are ActiveX files that will reload if and when they are needed.
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://eq2beta.stati.../soesysinfo.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab


CLOSE ALL PROGRAMS and BROWSERS that are running, except HijackThis and then click the "fix" button.

8. Delete the following File(s)/Folder(s) in BOLD while in Safe Mode.
Please note that some may not be there after using the removal tools.

c:\ied_s7.cab
c:\x.cab
C:\WINDOWS\system\libac.exe

9. * Close ALL windows except HJT
* SCAN with HJT
* POST the new log in this thread using "Add Reply" and we'll take another look.
Windows Security 2006-2007
Consumer Security 2008-2009


Trained at TC Classroom (The forerunner to WTT Classroom)

#4 Elrond

Elrond

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 733 posts
  • Interests:Skiing

Posted 31 January 2005 - 09:13 PM

Hi again deedub

MOST IMPORTANT: You Need to Update Windows and IE to get all the Latest Security Patches to protect your computer from the malware that is around on the internet. Please go to
Microsoft Windows and Internet Explorer Updates to get the critical updates. You need to get SP1. Do not update to SP2 until your computer is clean of spyware.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the cirtical updates installed (Free)
Microsoft Office Update.

Windows Security 2006-2007
Consumer Security 2008-2009


Trained at TC Classroom (The forerunner to WTT Classroom)

#5 deedub

deedub

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 31 January 2005 - 09:26 PM

Thank you very much Elrond !!
A couple things:
I had already grabbed sp2 ( hopefully I still cleaned the malware and such.
I believe the libac.exe was related to trojan.vundo. Its a tough nut. Ended up having to delete the file in safe mode and quickly jump to hjt and kill the process before the delete fully took. Otherwise I was denied access to delete.

Anyhow, here is my new hjt log (fingers crossed)

Logfile of HijackThis v1.99.0
Scan saved at 10:14:09 PM, on 1/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\STK014\STK014M.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
E:\Downloads\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cabil.dat
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\rtfyx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] E:\Games\steam\\Steam.exe -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: STK014 PNP Monitor.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106693056513
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server - Unknown - C:\WINDOWS\Nhksrv.exe
O23 - Service: Intel® NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks again ps your instructions are wonderful ;)

#6 Elrond

Elrond

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 733 posts
  • Interests:Skiing

Posted 03 February 2005 - 04:42 PM

Hi again deedub

Sorry for the delay.

A few more things to take care of.

1.Open HijackThis and click "Do a System Scan Only". (If HijackThis shows a "Scan" button instead of "Do a System Scan Only" that is OK. In that case click "Scan".) When the scan is finished put a check mark by the items that are listed in bold below. If you can not find an item, that is OK. Just continue but inform me with your next post. Do not click fix until instructed to do so:

O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cabil.dat
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\rtfyx.exe


CLOSE ALL PROGRAMS and BROWSERS that are running, except HijackThis and then click the "fix" button.

2. Reboot in safe mode and log in as Administrator

3. Delete the following File(s)/Folder(s) in BOLD while in Safe Mode.

C:\WINDOWS\System32\rtfyx.exe

C:\DOCUME~1\ADMINIstrator~1\LOCALSettings\Temp\cabil.dat <--if you can get to it.

4. Reboot in normal mode.

5. Download System Security Suite Extract it from the zip file into a folder.
Under "items to clear" click all. Then click "clear selected items"
This will cause your system to reboot,

6. * Close ALL windows except HJT
* SCAN with HJT
* POST the new log in this thread using "Add Reply"
Windows Security 2006-2007
Consumer Security 2008-2009


Trained at TC Classroom (The forerunner to WTT Classroom)

#7 deedub

deedub

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 04 February 2005 - 01:45 AM

Ok I think its looking pretty good now. I really appreciate your assistance Elrond, here is hopefully the last log:


Logfile of HijackThis v1.99.0
Scan saved at 2:41:20 AM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\STK014\STK014M.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Downloads\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: STK014 PNP Monitor.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106693056513
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server - Unknown - C:\WINDOWS\Nhksrv.exe
O23 - Service: Intel® NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Thanks again kind sir =)

#8 Elrond

Elrond

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 733 posts
  • Interests:Skiing

Posted 04 February 2005 - 07:06 AM

You are wellcome deedub and well done.

Your log looks clean.

Now that your computer is free of malware, I want you to take some precautions to avoid being re-infected.

Settings and maintenance

1. Clean out temporary files.
Run "System Security Suite"
Mark the page under the "Items to Clean" tab like this . Run the program.

You should do this every few weeks to avoid buildup of unnecessary junk.


2. Clean Out System Restore.
Malware could get backed up in System Restore.
For Win XP follow these instructions to delete all restore points.
1. Go to "Start" > "Control Panel".
2. Make sure the Control Panel is in "Classic View". If it is not, click "Switch to Classic View" towards the top-left of the screen.
3. Double-click "System" and go to the "System Restore" tab.
4. Check "Turn off System Restore" and click "OK" and then "Yes".

After restarting your computer you should turn it back on by following the above procedure and uncheck "Turn off System Restore".

You can find out more about this subject at How to turn off or turn on Windows XP System Restore


3. Make your Internet Explorer more secure
This can be done by following these simple instructions that apply to all "Windows" except "Windows XP with SP2". In SP2 many of those setting are the default settings but check your settings anyhow. The settings can become restrictive but you should use them anyhow. If there are sites that will not show up right with those settings and that you rely on to be free of malware place them in the trusted zone.

1. Click "Start". Open "Control Panel".
2. Select the "Internet Options"
3. Select "Security" Tab and select the following settings.

* ActiveX controls and plug-ins
• Download signed ActiveX controls: Disable
• Download unsigned ActiveX controls: Disable
• Initialize and script ActiveX controls not marked as safe: Disable
• Run ActiveX controls and plug-ins: Disable
• Script ActiveX controls marked safe for scripting: Disable

* Downloads
• Font Download: Disable

* Microsoft VM
• Java permissions: Disable Java

* Miscellaneous
• Allow META REFRESH: Disable
• Display mixed content: Disable
• Drag and drop or copy and paste files: Disable
• Installation of desktop items: Disable
• Launching programs and files in an IFRAME: Disable
• Navigate sub-frames across different domains: Disable
• Software channel permissions: High Safety
• Userdata persistence: Disable

* Scripting
• Active scripting: Disable
• Allow paste operations via script: Disable
• Scripting of Java applets: Disable

* User Authentication
• Logon: Prompt for username and password

4. When all these settings have been made, click on the OK button.
5. If it prompts you as to whether or not you want to save the settings, press the Yes button.
6. Next press the Apply button and then the OK to exit the Internet Properties page.


These are a must to protect yourself from malware.
1. Get a good anti-virus if you don't have one. A lot of people like AVG .
KEEP YOUR ANTIVIRUS UPDATED

2. Get a good firewall if you don't have one.
Many like ZoneAlarm. You can download a free copy here

Be restrictive with access to the internet. If you are unsure if the program really needs the access, test it by denying the access and see if this has any negative effects. If not make the block permanent.

3. MOST IMPORTANT: You Need to keep “Windows” and "Internet Explorer” updated. Go to ”Start”> "Controll Panel" > "Security Center" > "Automatic Updates" and if you are not sure that you will do a update in a timely manner, set the "Automatic updates to automatically update your computer.

If you are running Microsoft Office, or any portion thereof you must keep it updated as well. Go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed. Update MS Office here.

4. Download and install “SpywareBlaster”
Run it. Click "Updates" at the left and click "Check for Updates". After updating click "Protection" at the left and towards the bottom click "Enable All Protection". You should now be protected from all known bad ActiveX. You should occasionally check for updates.

5. Download and install "SpywareGuard"

Further tools

I highly recommend downloading and installing the newest versions of “AdAware SE Personal” and “Spybot Search and Destroy”
After installing remember to update the definition files for each program.
I also suggest that you visit this website and follow the instructions on how to configure both programs for best detection. These instructions are correct even though they refer to a cleanup of an infected computer.

There are many other programs that will add extra layers of protection to your computer as well.
I recommend “IE-Spyad” By default, it is unzipped to "C:\ie-spyad". Find out how to install it by going to the "ReadMe.txt". You should occasionally get updates by using the bat file or by uninstalling and deleting the old files and returning to the site to get the new version.

A Trojan scanner would be also be helpful. You can download a trial version of “Trojan Hunter” and run it to remove any traces of trojans.

The ”a Squared” trojan Scanner has a free version. It is an onboard trojan scanner that is installed much like Spybot/AdAware but handles trojans. Nice to add to your armor if you wish.
Download free from “a Squared” (The download button is at the bottom of the page). Install it.
Run and activate your free version with a Squared and then select
Scan your computer for malware infections .
Then select any/all drives.
Finally Scan selected folders.

It is worth while to take a look at "So how did I get infected in the first place? for some good advice.
A good source of information about computer security can be found at this website . ChrisRLG is an Administrator and Classroom Teacher at Tom Coyote.

Update all protective programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Best of luck and clean computing
Elrond
Windows Security 2006-2007
Consumer Security 2008-2009


Trained at TC Classroom (The forerunner to WTT Classroom)

#9 deedub

deedub

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 05 February 2005 - 12:11 AM

Wow, Very thorough. Much I have or have done, from doing my own research when I started trying to sniff out the malware, the rest I thank you greatly for recommending. My best wishes to you and your loved ones, it is awesome of you and your peers to lend a hand =) many thanks, Deedub

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users