Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

hijackthis log


  • This topic is locked This topic is locked
15 replies to this topic

#1 bggrss

bggrss

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 01 March 2006 - 12:16 PM

Logfile of HijackThis v1.99.1
Scan saved at 20:14:34, on 01.03.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ngsh35.clsIS - {392BAF48-A26A-45B5-9263-97128E429268} - C:\WINDOWS\system32\ngsh35.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [dxnote32] C:\WINDOWS\system32\dxnote32.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SimkaStudio] "C:\Program Files\Simka Çeviri Demo\SimkaStudio.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Türkçe'ye Çevir - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Simka Çeviri Demo\webie.exe
O9 - Extra 'Tools' menuitem: Tools Menu Item - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Simka Çeviri Demo\webie.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...tup1.0.0.15.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.host...ler/1118521.exe
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    Advertisements

Register to Remove


#2 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 02 March 2006 - 05:13 PM

Hello and welcome to TomCoyote fourm. You have a pretty good mess here :( If you still need help we need to remove the New.Net hijacker first. I have yet to meet anyone who downloaded this junk on purpose, if you are the first, stop and make me aware.

1) Use these instructions remove New.net which is the 010 item in the log. If executed correctly, the line will be gone on a reboot.
http://www.newdotnet.com/removal.html

2) I need to know what this is: C:\WINDOWS\system32\dxnote32.exe <<< If you do not know it, then use these free online scans to find out what it is. Run at least two scans and post the results for me.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustota...h/index_en.html

3) You have a dialer onboard: http://www.viruslist...a?virusid=36897 You would be wise to keep this computer offline except when doing the cleanup.

When New.Net is gone, post a new HJT log along with the information from the scans in this same thread, I will respond as soon as possible after that. We have lots more to do.

I do not expect you will need it, the uninstaller seems always to work, but this is an emergency tool if you should have a problem connecting. Emergency only: http://www.snapfiles...nsockxpfix.html

Thanks...pskelley
TomCoyote forum
Expert Member

Edited by pskelley, 02 March 2006 - 05:16 PM.

MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#3 bggrss

bggrss

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 03 March 2006 - 04:49 AM

Thanx a lot for your help :) the insructions you have given for new dot net has worked well. the thing you don't know (dxnote32.exe) was a turkish trojan and ı solved the problem by reading some turkish forums :)
as the third thing ı really could't get what is a dialer and what should ı do?
this is my hj log after the scan and new dot net remowal:

Logfile of HijackThis v1.99.1
Scan saved at 12:46:24, on 03.03.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Simka Çeviri Demo\SimkaStudio.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SimkaStudio] "C:\Program Files\Simka Çeviri Demo\SimkaStudio.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Türkçe'ye Çevir - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Simka Çeviri Demo\webie.exe
O9 - Extra 'Tools' menuitem: Tools Menu Item - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Simka Çeviri Demo\webie.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...tup1.0.0.15.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.host...ler/1118521.exe
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 bggrss

bggrss

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 03 March 2006 - 05:24 AM

and here's my report after the capersky scan: Infected Object Name Virus Name Last Action C:\WINDOWS\drsmartload95a.exe Infected: Trojan-Downloader.Win32.Adload.t skipped C:\WINDOWS\system32\shell386.exe Infected: Trojan-Downloader.Win32.Small.cjy Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\08C62C25.exe Infected: Trojan-Dropper.Win32.Small.amd skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\08C95622.exe Infected: Trojan-Downloader.Win32.Small.ckj skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0CFF7580.exe Infected: Trojan-Downloader.Win32.Adload.u skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\109D4A10.exe Infected: Trojan.Win32.Diamin.i skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\298B7326.exe Infected: Trojan.Win32.Diamin.i skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\44F31A77.exe Infected: not-virus:Hoax.Win32.Renos.bp skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79BC4EB2.exe Infected: Trojan-Spy.Win32.Small.dg skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7BD33465.exe Infected: not-virus:Hoax.Win32.Renos.bp skipped C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7C254E0B.exe Infected: Trojan.Win32.StartPage.aib skipped C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll Infected: Trojan-Spy.Win32.Small.dg skipped C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll Infected: Trojan-Spy.Win32.Small.dg skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP66\A0017240.exe Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP66\A0017247.exe Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP67\A0017677.exe Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP67\A0017686.exe Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP67\snapshot\MFEX-1.DAT Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0017714.exe Infected: Trojan-Spy.Win32.Small.dg skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0017715.exe Infected: not-virus:Hoax.Win32.Renos.bp skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0017721.exe Infected: Trojan.Win32.StartPage.aib skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0017861.exe Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0017865.exe Infected: Trojan-Dropper.Win32.Small.amd skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0017866.exe Infected: Trojan-Downloader.Win32.Small.ckj skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0017867.exe Infected: Trojan-Downloader.Win32.Adload.u skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0017869.exe Infected: not-virus:Hoax.Win32.Renos.bp skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0017875.exe Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0017885.exe Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0017894.exe Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0017900.exe Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0017909.exe Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0017916.exe Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0017945.exe Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0018032.exe Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0018040.exe Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0018044.EXE Infected: Backdoor.Win32.Delf.agf skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0018050.exe Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\A0018051.exe Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\System Volume Information\_restore{75A4DB36-8229-43D2-9D6C-28A3F9368047}\RP68\snapshot\MFEX-1.DAT Infected: not-virus:Hoax.Win32.Renos.bq skipped C:\WINDOWS\drsmartload95a.exe Infected: Trojan-Downloader.Win32.Adload.t skipped C:\WINDOWS\system32\shell386.exe Infected: Trojan-Downloader.Win32.Small.cjy skipped

#5 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 03 March 2006 - 05:28 AM

Good morning and you are very welcome. Thanks for your help also, looks like you removed one trojan. I see ewido onboard, open the program and choose update, allow time for it to finish. Now click scanner then complete system scan. Allow ewido to remove anything it locates unless you know it is not bad. Save that scan report, I must see it.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [sms_msn] C:\WINDOWS\system32\sms_msn.exe
see this >>> http://castlecops.co...list-12532.html
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...tup1.0.0.15.cab
FunWebPdts
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.host...ler/1118521.exe
Adult Content Dialer
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
old Spysweeper login

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.n...1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\sms_msn.exe >>> file

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsne...refetch-XP.html

If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan results, a new HJT log and your comments. How are you running now?

Thanks...Phil
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#6 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 03 March 2006 - 05:53 AM

Thanks, and I do appreciate your help. I often use Kaspersky but probably would not on this log. Please post only the logs I request. The information may come in handy but ewido will remove the stuff for us, Kaspersky will not. Since viewing that log, let me caution you to NOT use System Restore until we clean it, that stuff would get back on your computer. Thanks

Edited by pskelley, 03 March 2006 - 05:54 AM.

MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#7 bggrss

bggrss

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 03 March 2006 - 07:04 AM

hello again :) and thanx again here's my hj log and my ewido scan report:

Logfile of HijackThis v1.99.1
Scan saved at 14:58:17, on 03.03.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SimkaStudio] "C:\Program Files\Simka Çeviri Demo\SimkaStudio.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Türkçe'ye Çevir - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Simka Çeviri Demo\webie.exe
O9 - Extra 'Tools' menuitem: Tools Menu Item - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Simka Çeviri Demo\webie.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.host...ler/1118521.exe
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


ewido:

--------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 14:00:45, 03.03.2006
+ Report-Checksum: F280C69F

+ Scan result:

C:\Documents and Settings\user\Cookies\user@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Logger.Small.dg : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Logger.Small.dg : Cleaned with backup
C:\WINDOWS\drsmartload95a.exe -> Downloader.Adload.t : Cleaned with backup
C:\WINDOWS\system32\shell386.exe -> Downloader.Small.cjy : Cleaned with backup


::Report End


There's one more problem ı can't open my windows firewall!!! it says that there's an unknown error.

#8 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 03 March 2006 - 08:34 AM

OK, we need to look at this program: O4 - HKCU\..\Run: [SimkaStudio] "C:\Program Files\Simka Çeviri Demo\SimkaStudio.exe"
Is this what it is? http://www.simkaltd.com/download.asp

I am getting very bad reading from these which at first glance I assumed was part of the above Demo program.

O9 - Extra button: Türkçe'ye Çevir - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Simka Çeviri Demo\webie.exe
O9 - Extra 'Tools' menuitem: Tools Menu Item - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Simka Çeviri Demo\webie.exe

When I search the CLSID number here: http://castlecops.com/O9.html I get these results:
10954C80-4F0F-11d3-B17C-00C0DFE39736 X Visit CrackPortal.com - Cracks, serialz, keygens Added by Trojan_Favadd
http://securityrespo...jan.favadd.html

We will remove this stuff, and if you find it is valid, download it again if you must when I am done. I must also say in many years of using CastleCops I have never found it to be wrong with a CLSID number.

The adult content dialer: O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.host...ler/1118521.exe
Which I had posted for removal in the last instuctions is also still in the log? Did you miss it? Please see this information:
http://www.viruslist...a?virusid=36897

I would like you to do this:

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKCU\..\Run: [SimkaStudio] "C:\Program Files\Simka Çeviri Demo\SimkaStudio.exe"
O9 - Extra button: Türkçe'ye Çevir - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Simka Çeviri Demo\webie.exe
O9 - Extra 'Tools' menuitem: Tools Menu Item - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Simka Çeviri Demo\webie.exe
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.host...ler/1118521.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Make sure hidden files and folders is still enabled then locate and delete this folder:

C:\Program Files\Simka Çeviri Demo\

Restart the computer, then open Start > Control Panel > Security Center. There are three items there, Updates, Antivirus and Firewall. Tell me if the are on or off. I also need the error message you are receiving "word for word". Post this information and a new HJT log.

Thanks.

Edited by pskelley, 03 March 2006 - 08:36 AM.

MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#9 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 03 March 2006 - 08:53 AM

After you complete the last instructions and post the information. Then please do this:

Kaspersky scan: Restart the computer in safe mode: http://www.bleepingc...tutorial61.html
Make sure hidden files and folders is enabled, then navigate to the files in red and delete them. If they are gone do not be concerned, just do not miss them.

C:\WINDOWS\drsmartload95a.exe

C:\WINDOWS\system32\shell386.exe

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll

Now Navigate to the Quarantine folder in red and delete the contents. NOT THE FOLDER

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\

Restart the computer. Follow these instuctions to clean System Restore files:
System Restore does not know good from bad, it backs up everything. In case some of the infection got into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, restart your computer and turn it back on.
http://service1.syma...src=sec_doc_nam

Once you have started System Restore, then run a new Kaspersky scan which should be clean. Post the results.

Thanks...Phil
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#10 bggrss

bggrss

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 03 March 2006 - 11:20 AM

sorry for the delay here it is:
"windows can not display the firewall settings because of an undescribed problem."

Logfile of HijackThis v1.99.1
Scan saved at 19:10:56, on 03.03.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\user\Desktop\koruma\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    Advertisements

Register to Remove


#11 bggrss

bggrss

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 03 March 2006 - 12:19 PM

ı couldn't do the system restore becouse that link doen't work http://service1.syma...m/SUPPORT/tsgen

Edited by bggrss, 03 March 2006 - 12:21 PM.


#12 bggrss

bggrss

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 03 March 2006 - 12:27 PM

so the link worked now ı tried it again ım sorry ıll be back

#13 bggrss

bggrss

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 03 March 2006 - 12:47 PM

this is the kapersky scan C:\RECYCLER\S-1-5-21-839522115-920026266-2147116355-500\Dc1.exe Infected: Trojan-Downloader.Win32.Small.ckj skipped C:\RECYCLER\S-1-5-21-839522115-920026266-2147116355-500\Dc17.exe Infected: Trojan-Downloader.Win32.Adload.u skipped C:\RECYCLER\S-1-5-21-839522115-920026266-2147116355-500\Dc19.exe Infected: not-virus:Hoax.Win32.Renos.bp skipped C:\RECYCLER\S-1-5-21-839522115-920026266-2147116355-500\Dc2.exe Infected: not-virus:Hoax.Win32.Renos.bp skipped C:\RECYCLER\S-1-5-21-839522115-920026266-2147116355-500\Dc21.exe Infected: Trojan.Win32.StartPage.aib skipped C:\RECYCLER\S-1-5-21-839522115-920026266-2147116355-500\Dc22.exe Infected: Trojan-Dropper.Win32.Small.amd skipped C:\RECYCLER\S-1-5-21-839522115-920026266-2147116355-500\Dc3.exe Infected: Trojan-Spy.Win32.Small.dg skipped C:\RECYCLER\S-1-5-21-839522115-920026266-2147116355-500\Dc5.exe Infected: Trojan.Win32.Diamin.i skipped C:\RECYCLER\S-1-5-21-839522115-920026266-2147116355-500\Dc6.exe Infected: Trojan.Win32.Diamin.i

#14 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 03 March 2006 - 02:22 PM

Restart the computer, then open Start > Control Panel > Security Center. There are three items there, Updates, Antivirus and Firewall. Tell me if the are on or off. I also need the error message you are receiving "word for word". Post this information and a new HJT log.


You posted the HJT log and the errror message. What about the information in bold?

Logfile of HijackThis v1.99.1 Scan saved at 19:10:56, on 03.03.2006
This HJT log is clean, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.o...topic.php?t=957
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html
http://cybercoyote.o...not-admin.shtml

These are the recycle bin: C:\RECYCLER\ <<< clean out everything in it, wonder why they did not who in the first Kaspersky scan? That will mean the scan will be clean.

Here is some troubleshooting information for the Service Pack 2 firewall:
http://www.google.co...G=Google Search

You can contact Microsoft about that problem here:
http://www.google.co...ort&btnG=Search

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Safe surfing

Thanks...pskelley
TomCoyote forum
Expert Member
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#15 bggrss

bggrss

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 04 March 2006 - 01:31 PM

hello again ım so sorry that ı couldn't respond to you quickly.. ı wasnt around. so the quote in bold letter you're asking of: ı've got firewall, updates and internet options in that place ı don't have an antivirus option as ı said before ı can't see the firewall settings because it gives an error and the updates are on:) so thank you so much for your help ı apreciate it very much!

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users