Post by: Guest_Daniel_* on May 15, 2005, 07:16:18 PM
Thanks..
Post by: guestolo on May 15, 2005, 07:43:39 PM
First go clear all your Cache and cookies
Then restart your browser
Come back to this post
What happens when you click on this link
http://www.thetechguide.com/forum/index.php?act=Reg&CODE=00 (http://\"http://www.thetechguide.com/forum/index.php?act=Reg&CODE=00\")
Remember to check the I AGREE
Post by: Guest_Daniel_* on May 15, 2005, 08:10:35 PM
That's weird
Go ahead and post a hijackthis log and let me see what's going on
~guestolo~
Post by: Guest_Daniel_* on May 15, 2005, 08:22:07 PM
Scan saved at 03:20:15, on 2005-05-16
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program\Analog Devices\SoundMAX\Smtray.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\System32\MMTray.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\Delade filer\CMEII\CMESys.exe
C:\Program\D-Link\AirPlus G\AirGCFG.exe
C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\Delade filer\GMT\GMT.exe
C:\Program\PrecisionTime\PrecisionTime.exe
C:\Program\Delade filer\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\TightVNC-unstable\WinVNC.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Trillian\trillian.exe
C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE
C:\Program\Winamp\winamp.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/ (http://\"http://www.clicksearchclick.com/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\Program\DashBar\DashBar17.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program\TightVNC-unstable\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program\Delade filer\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SECURITY.EXE
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program\Delade filer\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Påminnelser för Kalendern i Microsoft Works.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .mov: C:\Program\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program\TightVNC-unstable\WinVNC.exe" -service (file missing)
Post by: guestolo on May 15, 2005, 08:32:53 PM
Do the following and then get back to me in this thread
Try and register after we do these fixes
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
When installing, it may update, but double check anyways
Don't run a scan yet
After that
Download and Install Spybot S&D 1.3 (http://\"http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button\")
Don't activate the Tea Timer when installing, it's a great feature but can get in the way
of any fixes we may still have to do
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and download all updates
Again, don't run a scan yet, but ensure it is up to date
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Install for now, don't run a scan yet
Now for some auto fixes
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation
In safe mode
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off
Instead
Open Ad-Aware SE
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
Please Restart your computer back to SAFE MODE when restarting
Back in Windows
Open Spybot
Click the Search & Destroy button on the left
Check for Problems on the right---When the Scan is complete
FIX all selected promblems in RED
RESTART the computer to finish the cleaning process
This time Restart back to Normal mode
You shouldn't have a problem registering to the forum after that
Do So as it is a requirement
Do a fresh scan with Hijackthis and post a new log
If you still have problems signing in
I would recommend that you try a different browser
I use Mozilla Firefox all the time
It's free and more secure
Look here
http://www.mozilla.org/ (http://\"http://www.mozilla.org/\")
Click the Free Download near the top left
Post by: Guest_Daniel_* on May 15, 2005, 08:51:05 PM
I have succeded to download all the files but not the windows cleanup file. When I click at the link you gave me the virus put a stop to it.
Is there another way to get the program?
Post by: guestolo on May 15, 2005, 08:58:46 PM
Then post back
Also try Firefox and see if you can download CleanUp!
Consider Firefox as a backup browser, in case Internet Explorer is ever hijacked or not connecting
Daniel, there is a reason I ask you too register, one is
A better chance you will post back if your registered
My biggest reason however
As a registered user>>Which is free to sign up
If you ever come back here in the future and need assistance again
I can search for your old posts and see if anything related in the past could help me out
As a guest, I can't search for your user name
Post by: Guest_Daniel_* on May 15, 2005, 09:07:27 PM
Sorry, an error occurred. If you are unsure on how to use a feature, or don't know why you got this error message, try looking through the help files for more information.
The error returned was:
You must enter a username
And I wrote my username!
It is DanielBroman.
Post by: DanielBroman on May 16, 2005, 07:39:09 AM
This morning I followed your instructions and my computer is working well again.
Take care / Daniel
Post by: guestolo on May 16, 2005, 07:51:41 AM
You should post another fresh Hijackthis log to your other thread, or here
Let's make sure nothing is still lurking
I won't be able to see it until I get off work, but it's still a good idea to post a final log
Post by: DanielBroman on May 16, 2005, 10:30:51 AM
Scan saved at 17:29:13, on 2005-05-16
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program\Analog Devices\SoundMAX\Smtray.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\System32\MMTray.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\D-Link\AirPlus G\AirGCFG.exe
C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\TightVNC-unstable\WinVNC.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Trillian\trillian.exe
C:\HJT\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program\TightVNC-unstable\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SECURITY.EXE
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .mov: C:\Program\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program\TightVNC-unstable\WinVNC.exe" -service (file missing)
What do you think, does it look ok?
Post by: guestolo on May 16, 2005, 09:21:25 PM
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SECURITY.EXE
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart your computer
Find and delete this folder if found
C:\WINDOWS\System32\Services <-this folder
Run another scan with hijackthis and post a fresh log
Post by: roofy on May 17, 2005, 01:15:38 AM
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SECURITY.EXE
which is running this service...
C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE
I know of this file becuase I had a virus simular to this. The difference in mine was that I didn't have the security.exe file. Instead I just had the SVCHOST.EXE file and its dll files. How I was able to post my situation though, was becuase I know how to use the MSCONFIG tool, and I know what files are safe to disable at startup.
Symptons
This type virus is known to block people from running online virus scans. This is done by when you click on the link thinking you are being directed to the free online scan, but instead it redirects you to www.clicksearchclick.com site.
So either guestolo is going to have to understand that this type virus is not going to allow you to log-in to this fourum, or you could get a head start in removing at least this virus by tring this possible chance as follows...
Run Hijackthis again, and put a checkmark on the following bold entries...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/ (http://\"http://www.clicksearchclick.com/\")
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SECURITY.EXE
Then after checking the above, make sure that all other windows are closed except for Hijackthis, and then click on FIX CHECKED
click ok to the prompt and then exit Hijackthis
Next, reopen Hijackthis, but this time open the misc. tools section. Then click on delete a file on reboot and browse and select the file down below in this location...
C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE
Then click on open and then click on the reboot button at the Hijackthis prompt. However, you want to this time to boot in safe mode. You can do this by holding the f8 key before the WindowsXP logo comes up. You will know you did it right by instead of windows booting, you get a bunch of optons to choose from. What you want to choose is just the words "safe mode". When the welcome screen pops up, select your user name that you use to login to windows. Next
if you get a warning message saying that you are in safe mode, just click on ok. Then you will want to locate the folder down below and delete it.
C:\WINDOWS\System32\ Services <- just this folder that is in bold
After that you will want to reset you browser startup page to your original startup page that you like using. You can do this by going to Start->Control Panel. Once the control panel loads, click on internet and network connections and then click on internet options. At the top of the Internet Options dialog box, there is a setting where you can type in what you want your startup page to be. For example, if you like going to www.google.com most frequently, then you would type in www.google.com in the startup text box. You can name it what ever valid url you want but you don't want it to say www.clicksearchclick.com
Then reboot the computer in normal mode, and this should clear the problem of not being able to log-in to this site. Though before you do come back, I would suggest doing another Hijackthis scan and posting the fresh log back in here so that guestolo can finish helping you.
Also, I hope that guestolo or any other moderator in here doesn't take my post in the wrong way. It is just that I thought it wasn't fair for that this person couldn't get the help becuase the virsus that he/she has is hijacking his/her browser from logging in. In addition, my instructions that I have posted in here are the same to what guestolo showed me on what to do by getting rid of this virus. The only differnce is, I disabled the startup of this virus before posting my question when I needed the help and maybe thats why guestolo didn't know why you couldn't login.
Post by: guestolo on May 17, 2005, 09:00:24 AM
But we carried on HERE (http://\"http://www.thetechguide.com/forum/index.php?showtopic=17413\")
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: roofy on May 17, 2005, 10:36:50 AM
Post by: DanielBroman on May 18, 2005, 05:58:15 PM
Logfile of HijackThis v1.99.1
Scan saved at 00:56:44, on 2005-05-19
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program\Analog Devices\SoundMAX\Smtray.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\System32\MMTray.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\D-Link\AirPlus G\AirGCFG.exe
C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\TightVNC-unstable\WinVNC.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Messenger\msmsgs.exe
C:\HJT\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program\TightVNC-unstable\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .mov: C:\Program\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program\TightVNC-unstable\WinVNC.exe" -service (file missing)
Post by: guestolo on May 18, 2005, 09:07:05 PM
Deleted a couple also
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> It was getting confusing earlier, but I understand it was not your fault
If everything is running better
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection