Post by: gerbino on March 06, 2005, 02:13:58 AM
Scan saved at 6:07:50 PM, on 3/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton\navapsvc.exe
C:\Program Files\Norton\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe
C:\Documents and Settings\riceboy\Application Data\rowi.exe
C:\WINDOWS\System32\n?lookup.exe
C:\Program Files\Norton\SAVScan.exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\0756269.DLL
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\riceboy\Desktop\hijackthis\HijackThis.exe
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\Norton\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Win32 Network Driver] crss.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [PPPOEO] pingppac.exe
O4 - HKLM\..\RunServices: [Win32 Network Driver] crss.exe
O4 - HKLM\..\RunServices: [PPPOEO] pingppac.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SPYWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
O4 - HKCU\..\Run: [Win32 Network Driver] crss.exe
O4 - HKCU\..\Run: [Bpas] C:\Documents and Settings\riceboy\Application Data\rowi.exe
O4 - HKCU\..\Run: [Knn] C:\WINDOWS\System32\n?lookup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/au/games4.cab (http://\"http://www.netvenda.com/sites/games-intl/au/games4.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DC5E7C9-F471-440D-81B9-E84276470A59}: NameServer = 210.80.58.34 210.80.58.42
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton\AdvTools\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
please help =)
Post by: guestolo on March 06, 2005, 02:39:41 AM
UNZIP it to a folder of your choice
Save the rest of these instructions to a Notepad file on your desktop and then close down all other open Windows, including this one
Open Hijackthis>>Open Misc tools section>>Open Process Manager
Kill these processes if still running
C:\Documents and Settings\riceboy\Application Data\rowi.exe
C:\WINDOWS\System32\n?lookup.exe
Do another scan with Hijackthis and put a check next to these entries:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Win32 Network Driver] crss.exe
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [PPPOEO] pingppac.exe
O4 - HKLM\..\RunServices: [Win32 Network Driver] crss.exe
O4 - HKLM\..\RunServices: [PPPOEO] pingppac.exe
O4 - HKCU\..\Run: [Win32 Network Driver] crss.exe
O4 - HKCU\..\Run: [Bpas] C:\Documents and Settings\riceboy\Application Data\rowi.exe
O4 - HKCU\..\Run: [Knn] C:\WINDOWS\System32\n?lookup.exe
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/au/games4.cab (http://\"http://www.netvenda.com/sites/games-intl/au/games4.cab\")
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Run Pocket KillBox
click on Tools --> Select Delete Temp Files. Click OK.
In Killbox
At the main screen of Pocket Killbox, select the option: Replace on Reboot
Also tick Use Dummy
In the Full Path of File to Delete box, copy and paste this entry:
C:\WINDOWS\System32\crss.exe
Press the button with a red circle and a white X
Click Yes to Replace
When asked if you would like to Reboot, select No.
Do the same for this one
C:\Documents and Settings\riceboy\Application Data\rowi.exe
Finally, in Full Path of File to Delete, copy and paste the following:
C:\WINDOWS\System32\pingppac.exe
Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!
Restart your computer even if not prompted
Please try and restart into Safe mode, you can do this by tapping the F8 key on the keyboard as the system is booting up
In safe mode, Access your Add/Remove programs and remove if found
Preview AdService
Find and delete this folder
C:\Program Files\Preview AdService
Restart back to Normal mode
If prompted by any of your spyware removal tools about changes, allow them or we will have to disable them as to not interfere with our fixes
Back in Windows
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page
When the above has been completed, post back with a Fresh Hijackthis log
Could you also
===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Export.bat
Save this file on the desktop
Quote
regedit /e NSLook.reg "C:\WINDOWS\System32\n?lookup.exe"
Double click on Export.bat and a new file will be created on your desktop called
NSLook.reg
Right click on it and left click EDIT
Copy and paste back that information please
Could you also let me know, beside Microsofts' Anti-Spyware software
and BulletProofs spyware software
What other spyware removal tools you have or used, thanks
Can you also let me know if you paid for BulletProofs software, if not, don't
Post by: gerbino on March 06, 2005, 03:00:42 AM
Post by: guestolo on March 06, 2005, 03:04:01 AM
It's a small utility that will help to remove some files that you have identified in your log
You can see in my first reply to you I supplied a link to Killbox
Make sure you Unzip this, don't try and run it within the Zipped archive
Simply click on Pocket Killbox
If the first line of my first reply to you, that's a direct link to the utility
Post by: gerbino on March 06, 2005, 03:05:07 AM
Post by: gerbino on March 06, 2005, 03:27:07 AM
Scan saved at 7:25:23 PM, on 3/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton\navapsvc.exe
C:\Program Files\Norton\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe
C:\Program Files\Norton\SAVScan.exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\EA4997A9.DLL
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\Norton\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SPYWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DC5E7C9-F471-440D-81B9-E84276470A59}: NameServer = 210.80.58.34 210.80.58.42
have a good night mate. thanks again for helpin' out
Post by: guestolo on March 06, 2005, 03:34:50 PM
I'll look at you next log once we have completed this one
I asked you to post back a fresh Hijackthis log
I didn't mean one from an old version of Hijackthis 1.97.7
I meant one from Hijackthis 1.99.1
I also asked you too include the contents of the file made by Export.bat
Also asked for information on BulletProofs software
When we get this log clean, I'll look at the next
Maybe try and go back and read everything I posted to you, not just bits and pieces
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: gerbino on March 07, 2005, 05:43:19 AM
well i got up to the saving the export.bat file to my desktop but everytime i click on it a command prompt window pops up for a split second then disappears.
i dont think an NSLook.reg was created on the desktop.
what should i do now?
have a good one!
gerbino
Post by: guestolo on March 08, 2005, 12:16:07 AM
Delete Export.bat
NEXT
===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Export.bat
Save this file on the desktop
Quote
dir C:\WINDOWS\System32\n?lookup.exe /a h > files.txt
notepad files.txt
Double click on Export.bat and a notepad file will open
Can you post the contents back here
Also, please post back a fresh Hijackthis log from version 1.99.1
Let me know about BulletProofs Spyware removal software, if you didn't pay for it uninstall it
It's bogus
Post by: gerbino on March 08, 2005, 03:20:02 AM
no i didnt pay for bulletproof's software. i'll uninstall it after posting this reply. here's the contents of the notepad file:
Volume in drive C has no label.
Volume Serial Number is B892-67B9
Directory of C:\WINDOWS\System32
08/23/2001 11:00 PM 71,680 nslookup.exe
02/09/2005 01:32 AM 417,792 n?lookup.exe
2 File(s) 489,472 bytes
Directory of C:\Documents and Settings\riceboy\Desktop
and here's the log from v 1.99.1
Logfile of HijackThis v1.99.1
Scan saved at 7:17:28 PM, on 3/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton\navapsvc.exe
C:\Program Files\Norton\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe
C:\Program Files\Norton\SAVScan.exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\B7E35047.DLL
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\riceboy\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ (http://\"http://google.com/\")
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\Norton\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SPYWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DC5E7C9-F471-440D-81B9-E84276470A59}: NameServer = 210.80.58.34 210.80.58.42
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton\AdvTools\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
cheers
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: guestolo on March 08, 2005, 09:34:53 PM
If you have removed Bulletproof
Run another scan with hijackthis and fix this entry if still around
O4 - HKCU\..\Run: [SPYWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
Restart the computer and delete this folder
C:\Program Files\BulletProofSoft.com
Also navigate to this folder
C:\WINDOWS\System32
Open it and look for this file
n?lookup.exe and delete it
CAREFUL
It may disguise as a legit file
As indicated here
08/23/2001 11:00 PM 71,680 nslookup.exe
02/09/2005 01:32 AM 417,792 n?lookup.exe
You want to delete this one
02/09/2005 01:32 AM 417,792 n?lookup.exe
May be name n?lookup.exe or have the same name as the legit
nslookup.exe
To ensure you have the right one, right click on the file and left click properties
Look for the bad guy that is about 417 kb in size and Creation date of 02/09/2005
Once that is done
If everything is running better
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Also ensure you are running a good firewall or at minimum have XP's firewall enabled
Only one firewall is needed
If your not running through a NAT Router
Why so far behind on Windows Updates? This is important on keeping your system secure
Just Criticals
If you want a couple great Spyware Removal software programs you can hang onto for free, along with Microsoft's Beta version
Check out the free versions of Spybot 1.3 and Ad-Aware SE Personal 1.05
Post by: gerbino on March 09, 2005, 05:20:52 AM
i cant seem to find
02/09/2005 01:32 AM 417,792 n?lookup.exe
i can find
08/23/2001 11:00 PM 71,680 nslookup.exe
easy done but the first one doesnt seem to be in that folder. what does that mean?
thanks (again)
Post by: gerbino on March 09, 2005, 06:06:03 AM