« previous next »
Pages: [1] 2 3 4

Author Topic: CANY ANY1 HELP?  (Read 12136 times)

Offline irish-paddy

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +0/-0
    • View Profile
CANY ANY1 HELP?
« on: January 24, 2005, 04:21:12 PM »
http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />    I only started my internet connection on the 14th jan 2005. i dont really have a clue about viruses and firewalls etc.

My internet is broadband and i stupidly/accidently turned off my firewall. the longest me connection ever lasted was 2mins.

i have spent the last week and a half learning and trying to remove spywares/viruses etc. etc. etc.

ITS WORKING ALOT BETTER NOW BUT I DONT REALLY KNOW WHAT I DONE AND IM SURE SOMETHING IS STILL WRONG AS IT WONT LET ME OPEN NORTON ANTI-VIRUS EVEN AFTER MANY UNINSTALLATION/RE-INSTALLATIONS. it also doesnt let me open "hijackthis" except in safe mode and i cant get onto nortons website either. i want to use ebay etc. but am too scared to use credit card.

WOULD REALLY REALLY  appreciate help from anyone.
cheers
irish paddy


p.s.
heres my log thing if anyone cares

Logfile of HijackThis v1.99.0
Scan saved at 16:10:56, on 24/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\Run: [onjzqdwclongf] C:\WINDOWS\System32\kxcddqojunj.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\Run: [Windows Update] msnmsgrs.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [Spool] C:\WINDOWS\TEMP\msvcreal.exe
O4 - HKLM\..\Run: [xcz] C:\WINDOWS\xcz.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [e2M35W] C:\WINDOWS\yilcrmb.exe
O4 - HKLM\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\RunServices: [onjzqdwclongf] C:\WINDOWS\System32\kxcddqojunj.exe
O4 - HKLM\..\RunServices: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\RunServices: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\RunServices: [Windows Update] msnmsgrs.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunOnce: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKCU\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] swwhost.exe
O4 - HKCU\..\RunOnce: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CTI Central Management - Unknown - C:\WINDOWS\cti.exe (file missing)
O23 - Service: NT login service - Unknown - C:\WINDOWS\System32\libsysmgr.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
CANY ANY1 HELP?
« Reply #1 on: January 24, 2005, 09:18:02 PM »
You have a few problems, I need you to download a few tools please
with some cleaning we can get you running smooth again, but please try and do whatever you can

First: Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- NT login service <<exact service name

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled

Do the same for this one if running
CTI Central Management

============================================
Download
Windows CleanUp! by StevenGould
Install for now but, Don't run a scan yet
This will clean all your temp folders, cookies, prefetch, etc...

===============================================
Download and UNZIP to a folder Hoster by Toadbee
Open up Hoster and click the RESTORE ORIGINAL HOSTS button
==========================================

Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe
This is good for 30 days
Install it and Restart your computer when prompted
Don't run a scan yet

When your back in Windows it's important to update the latest RADIUS database
IMPORTANT>>>Right click the link below, select "save target as" or save link as
http://www.diamondcs.com.au/tds/radius.td3
Save it to the directory where you installed TDS-3
The default location should be
C:\Program Files\TDS3
Allow it to overwrite the previous radius.td3

Launch TDS-3.You can run this in safe mode.... In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to freeze at times
Detections will appear in the lower pane of tds window after the scan is finished ( it'll take a while ) Right click the list> select save as txt.>> save this to a convienent location

After saving the scandump go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION

RESTART the computer
=======================================================

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Ad-Aware may check for updates and run a scan when installing
Allow to update but don't run a scan at this time
I prefer you run this in safe mode, but make sure you update first

In safe mode
Open Ad-Aware
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to Safe mode to finish the cleaning process

Open Windows CleanUp! in safe mode>>>Start>>All programs>>Cleanup
Click the CleanUp button
Let it finish scanning for files, when it's done it will prompt you to log off, Don't, instead Restart your computer back to Normal mode

You should also try and do an online Virus scan at Trend Micro's >> Set to Autoclean
http://housecall.trendmicro.com/
And/or at Panda's
http://www.pandasoftware.com/activescan/co...n_principal.htm

If you can't access either Trend Micro's or Panda's try opening up Hoster again
and Restore original hosts
Then try again

Try and do all the above if you can, If not, do what you can, Post back a fresh hijackthis log afterwards
Could you also post the scandump.txt from TDS-3

Let me know what you could accomplish and what still needs to be done
Regardless, post back a fresh hijackthis log
Try and post a log in Normal mode if you can
« Last Edit: January 25, 2005, 02:23:45 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline irish-paddy

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +0/-0
    • View Profile
CANY ANY1 HELP?
« Reply #2 on: January 25, 2005, 06:47:48 PM »
http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />   Cheers for the help. much appreciated.

done everything right down until >>Start>>All programs>>Cleanup. couldnt find this so i done a disk clean up (is that wat u meant?).

restarted back in normal mode and norton anti-virus automatically came up. i didnt want to do a scan with it so i restarted back in safe mode. tried to do a scan with norton but it wouldnt open.
restarted back in normal mode. didnt try to use norton just closed them but then spybot search and destroy came up with some msg and it wouldnt close. also something kept turning off my internet firewall.
anyway i was on internet when norton came up saying email message scanned about 30times. somehow my computer was sending loads off stuff to different email addresses.  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />

(i just had to disconnect and reconnect cuz i had to turn my firewall on it somehow got turned off.) uninstalled spybot.

i was just wondering wat this file is, its in c: and its a folder called "78a710ce9dfe875110" theres a folder inside it called "sp2" which access is denied to, is this a virus?

heres my new log
Logfile of HijackThis v1.99.0
Scan saved at 20:54:29, on 25/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.net/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\Run: [onjzqdwclongf] C:\WINDOWS\System32\kxcddqojunj.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\Run: [Windows Update] msnmsgrs.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [Spool] C:\WINDOWS\TEMP\msvcreal.exe
O4 - HKLM\..\Run: [xcz] C:\WINDOWS\xcz.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\Run: [e2M35W] C:\WINDOWS\yilcrmb.exe
O4 - HKLM\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [MSNPluginSrIvcs] n3vasap23.exe
O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\RunServices: [onjzqdwclongf] C:\WINDOWS\System32\kxcddqojunj.exe
O4 - HKLM\..\RunServices: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\RunServices: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\RunServices: [Windows Update] msnmsgrs.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [MSNPluginSrIvcs] n3vasap23.exe
O4 - HKLM\..\RunOnce: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKCU\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [MSNPluginSrIvcs] n3vasap23.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\RunOnce: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] swwhost.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NT login service - Unknown - C:\WINDOWS\System32\libsysmgr.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

scandump
Scan Control Dumped @ 20:01:44 25-01-05
RegVal Trace: Ill ICQ Notify: HKEY_LOCAL_MACHINE
  File: Software\Microsoft\Windows\CurrentVersion\Run [windows update=msnmsgrs.exe]

RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
  File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft System Checkup=libsysmgr.exe

RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
  File: Software\Microsoft\Windows\CurrentVersion\RunServices [Microsoft System Checkup=libsysmgr.exe

RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
  File: Software\Microsoft\Windows\CurrentVersion\Run [NT Logging Service=syslog32.exe

RegVal Trace: Worm.Leox please submit: HKEY_LOCAL_MACHINE
  File: Software\Microsoft\Windows\CurrentVersion\RunServices [windows update=msnmsgrs.exe]

RegVal Trace: DDoS.RAT.SDBot: HKEY_CURRENT_USER
  File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft Windows Update=swwhost.exe]

RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
  File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft Windows Update=swwhost.exe]

RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
  File: Software\Microsoft\Windows\CurrentVersion\RunServices [Microsoft Windows Update=swwhost.exe]

RegVal Trace: TrojanProxy.Win32.Ranky: HKEY_LOCAL_MACHINE
  File: Software\Microsoft\Windows\CurrentVersion\Run [Spool=C:\WINDOWS\TEMP\msvcreal.exe]

Positive identification: DDoS.RAT.SDBot.up
  File: c:\windows\system32\libsysmgr.exe

Positive identification: TrojanDownloader.Win32.Dyfuca.ds
  File: c:\documents and settings\localservice\local settings\temporary internet files\content.ie5\gnu96rm3\optimize[1].exe.tcf

Suspicious Filename: Dual extensions
  File: c:\documents and settings\patrick deighan\desktop\my music\music\music albums\tenacious d\imp.wps.doc

Positive identification (embedded in file): Adware.ToolBat.EliteBar.z (dll)
  File: c:\documents and settings\patrick deighan\local settings\temp\suicidetb.exe.tcf

Positive identification: DDoS.RAT.Wootbot.fj
  File: c:\program files\avpersonal\infected\msrepair.vir

Positive identification: DDoS.RAT.Wootbot.fj
  File: c:\program files\avpersonal\infected\msrepair.vir00

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir00

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir01

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir02

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir03

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir04

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir05

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir06

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir07

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir08

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir09

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir10

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir11

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir12

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir13

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir14

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir15

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir16

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir17

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir18

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir19

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir20

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir21

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir22

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir23

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir24

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir25

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir26

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir27

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir28

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir29

Positive identification: DDoS.RAT.rBot.acu
  File: c:\program files\avpersonal\infected\navprotect.vir30

Positive identification: Trojan.Win32.LowZones.ab
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp159\a0091709.exe

Positive identification: Adware.BargainBuddy.n2
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp159\a0091725.exe

Positive identification: DDoS.RAT.Agobot.yj
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp160\a0092949.exe

Positive identification: TrojanDownloader.Win32.IstBar.go1
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp162\a0094172.exe

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp162\a0094183.exe.tcf

Positive identification: TrojanProxy.Win32.Agent.bz2
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp162\a0094186.exe

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp162\a0095185.exe.tcf

Positive variant identification: Beast 2.02 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp162\a0095186.exe.tcf

Positive identification: TrojanProxy.Win32.Agent.bz2
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp162\a0095194.exe

Positive variant identification: Beast 2.02 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp162\a0095205.exe.tcf

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp164\a0095331.exe.tcf

Positive variant identification: Beast 2.02 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp164\a0095332.exe.tcf

Positive identification: TrojanProxy.Win32.Agent.bz2
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp164\a0095335.exe

Positive identification: DDoS.RAT.Agobot.yj
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp164\a0095340.exe

Positive variant identification: Beast 2.02 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp165\a0095350.exe.tcf

Positive identification (DLL): Adware.ToolBat.EliteBar.z (dll)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp165\a0096346.dll.tcf

Positive identification (DLL): Adware.ToolBat.EliteBar.z (dll)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp166\a0096428.dll.tcf

Positive variant identification: Beast 2.02 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp167\a0096447.exe.tcf

Positive identification: DDoS.RAT.Agobot.yj
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp167\a0096454.exe

Positive identification: TrojanProxy.Win32.Agent.bz2
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp167\a0096457.exe

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp167\a0096459.exe.tcf

Positive identification (DLL): Adware.ToolBat.EliteBar.z (dll)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp168\a0096666.dll.tcf

Positive identification (DLL): Adware.ToolBat.EliteBar.z (dll)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp168\a0096682.dll.tcf

Positive variant identification: Beast 2.02 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp168\a0096683.exe.tcf

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp168\a0096684.exe.tcf

Positive identification: TrojanProxy.Win32.Agent.bz2
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp168\a0096687.exe

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp168\a0097682.exe.tcf

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp168\a0098683.exe.tcf

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0098685.exe.tcf

Positive identification: TrojanProxy.Win32.Agent.bz2
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0098688.exe

Positive identification (DLL): Adware.ToolBat.EliteBar.z (dll)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0098691.dll.tcf

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0098700.exe.tcf

Positive identification: Adware.WinAD.m
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0098704.exe

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0099741.exe.tcf

Positive identification: TrojanProxy.Win32.Agent.bz2
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0099744.exe

Positive identification: DDoS.RAT.Agobot.yj
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0099765.exe

Positive identification (DLL): Adware.ToolBat.EliteBar.z (dll)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0099772.dll.tcf

Positive identification: DDoS.RAT.SDBot.rz
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp169\a0099773.exe

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp170\a0100808.exe.tcf

Positive identification: TrojanProxy.Win32.Agent.bz2
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp170\a0100811.exe

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp170\a0100819.exe.tcf

Positive identification: TrojanProxy.Win32.Agent.bz2
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp170\a0101861.exe

Positive identification (DLL): Adware.ToolBat.EliteBar.z (dll)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp171\a0102857.dll.tcf

Positive identification (DLL): Adware.Relevance.b (dll)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp171\a0102858.dll

Positive identification (DLL): Adware.Relevance.b (dll)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp171\a0102859.dll

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp174\a0103694.exe

Positive variant identification: Beast 2.02 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp174\a0103695.exe

Positive identification: DDoS.RAT.rBot.yo
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp174\a0103699.exe

Positive identification: Adware.BargainBuddy.n2
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp174\a0103729.exe

Positive identification (DLL): Adware.Relevance.b (dll)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp174\a0103730.dll

Positive identification: TrojanProxy.Win32.Agent.bz2
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp174\a0103751.exe

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp174\a0103767.exe

Positive identification: TrojanProxy.Win32.Agent.bz2
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp174\a0103772.exe

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp176\a0103812.exe

Positive identification: TrojanProxy.Win32.Agent.bz2
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp176\a0103826.exe

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp176\a0103839.exe

Positive identification: TrojanProxy.Win32.Agent.bz2
  File: c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp176\a0103842.exe

Positive identification: DDoS.RAT.rBot.dy
  File: c:\windows\system32\crsss.exe

Positive identification (DLL): Adware.ToolBat.EliteBar.z (dll)
  File: c:\windows\system32\doolsav.dat

Positive identification: DDoS.RAT.SDBot.up
  File: c:\windows\system32\libsysmgr.exe

Positive identification: DDoS.RAT.rBot.yo
  File: c:\windows\system32\mssw32.exe.tcf

Positive variant identification: Beast 2.02 (Variant)
  File: c:\windows\system32\msvccc.exe.tcf

Positive identification: DDoS.RAT.rBot.acu
  File: c:\windows\system32\navprotect.exe

Positive identification: DDoS.RAT.SDBot.rz
  File: c:\windows\system32\ntsysman.exe

Positive identification: TrojanProxy.Win32.Agent.bz2
  File: c:\windows\system32\svphostu.exe

Positive identification: DDoS.RAT.rBot.adk
  File: c:\windows\system32\trass.exe

Positive identification: DDoS.RAT.Agobot.yj
  File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\6jylazox\bot[1].exe

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\windows\system32\drivers\etc\svwhost32.exe

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\windows\system32\drivers\etc\svwhost32.exe.tcf

Positive variant identification: Microjoiner 1.7 (Variant)
  File: c:\windows\system32\drivers\etc\svwhost32.exe8278.tcf

Positive identification: TrojanDownloader.Win32.Dyfuca.ds
  File: c:\windows\temp\optimize.exe.tcf

Positive identification: TrojanDownloader.Win32.IstBar.fr2
  File: c:\windows\temp\sidefind.exe.tcf

Positive identification (DLL): TrojanDownloader.Win32.IstBar.gh (dll)
  File: c:\windows\temp\icd1.tmp\istactivex.dll

TROJ ISTBAR.ZA  housecall.trendmicro.com found that virus couldnt clean or delete it. compressed it and i think i deleted.

i registeredon paypal (ebay) with my credit card was this safe?

thanks again for all the help. cheers
Logged

Offline irish-paddy

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +0/-0
    • View Profile
CANY ANY1 HELP?
« Reply #3 on: January 25, 2005, 06:52:10 PM »
p.s. i also downloaded trojanhunter. reinstalled it from website but havnt used it. not sure if its safe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
CANY ANY1 HELP?
« Reply #4 on: January 25, 2005, 09:18:20 PM »
Ok, let's not get ahead of ourselves, you have quite a few nasties on your computer
We must remove

Try and do everything I ask
Please try and Print these instructions, or save to a Notepad file on the desktop
Many of these fixes should be ran in safe mode with your Browser window closed

I asked you to do this
Download
Windows CleanUp! by StevenGould
Install for now but, Don't run a scan yet
This will clean all your temp folders, cookies, prefetch, etc...

Your confusing me, you said this

Quote
(i just had to disconnect and reconnect cuz i had to turn my firewall on it somehow got turned off.) uninstalled spybot

Are you sure your not talking about Spyware Doctor?????
Leave it uninstalled

But I definitely see Spybot entries in your log, so it's not uninstalled correctly
I prefer you don't uninstall it
But you have TEA TIMER running which can get in the way of fixes
I need you to Disable Tea Timer until we are done with these fixes
That is what is getting in the way
I see these in your hijackthis log
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Look for Spybot on your computer and disable Tea Timer
Open Spybot>>Click Mode at the top>>Click ADVANCED
YES to the prompt
Click on TOOLS>>RESIDENT>>Uncheck "Resident TEA TIMER"

RESTART your computer to ensure it's disabled

If you can't find Spybot access your Add/Remove programs and uninstall it until we are done with some fixes, and then restart your computer
Again---If you uninstalled Spybot

I assume that you let TDS-3 fix all the Positive Identification files

IN SAFE MODE

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Access your Add/Remove Programs and remove if found
Admanager Controller
AdStatus Service
If both are found, Try and remove

Look for these files and folders and delete it they exist

C:\WINDOWS\System32\kxcddqojunj.exe <--file
c:\windows\system32\csmss32.exe <--file
C:\WINDOWS\xcz.exe <--file

C:\Program Files\Admanager Controller <--folder
C:\Program Files\AdStatus Service <--folder

Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

O4 - HKLM\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\Run: [onjzqdwclongf] C:\WINDOWS\System32\kxcddqojunj.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\Run: [Windows Update] msnmsgrs.exe

O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [Spool] C:\WINDOWS\TEMP\msvcreal.exe
O4 - HKLM\..\Run: [xcz] C:\WINDOWS\xcz.exe

O4 - HKLM\..\Run: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\Run: [e2M35W] C:\WINDOWS\yilcrmb.exe
O4 - HKLM\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe <--although it looks legitimate, it's NOT!

O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe

O4 - HKLM\..\Run: [MSNPluginSrIvcs] n3vasap23.exe
O4 - HKLM\..\RunServices: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\RunServices: [onjzqdwclongf] C:\WINDOWS\System32\kxcddqojunj.exe
O4 - HKLM\..\RunServices: [Microsoft Legacy Device] trass.exe
O4 - HKLM\..\RunServices: [sdkupdate22] SDK0mCORE.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\RunServices: [Windows Update] msnmsgrs.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [MSNPluginSrIvcs] n3vasap23.exe
O4 - HKLM\..\RunOnce: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Update] swwhost.exe
O4 - HKLM\..\RunOnce: [sdkupdate22] SDK0mCORE.exe

O4 - HKCU\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\Run: [Microsoft Windows W32 Services] mssw32.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] swwhost.exe
O4 - HKCU\..\Run: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [MSNPluginSrIvcs] n3vasap23.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\RunOnce: [sdkupdate22] SDK0mCORE.exe
O4 - HKCU\..\RunOnce: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] swwhost.exe

O23 - Service: NT login service - Unknown - C:\WINDOWS\System32\libsysmgr.exe (file missing)

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis


Open up Windows Cleanup>>In safe mode
Click on the CleanUp button
Let it finish scanning for files, When it's done it will prompt you to Log off
Don't at this time

I need you to Disable System Restore, many bad files are found in this folder
To guarantee they are removed we must disable it
I'll let you know when to Re-enable it

1. Right click the My Computer icon on the Desktop and click on Properties.
2. Click on the System Restore tab.
3. Put a check mark next to 'Turn off System Restore on All Drives'. or Turn off System Restore
4. Click the 'OK' button.
5. You should get a prompt  to restart the computer. Click Yes. If you don't get a prompt Restart anyways

When your back in Windows
Go back and Re-Enable System Restore

By all means run Trojan Hunter
If this is the Trial version ensure that you update to the latest Ruleset
Access this link
http://www.misec.net/trojanhunter/updating/
Download the Latest ruleset>>>It's a zipped file
UNZIP it to your Trojan Hunter folder allowing it to overwrite if prompted
The default location of T.H is specified by your log
Unzip to C:\Program Files\TrojanHunter 4.1

Run a full system scan allowing it to fix whatever it finds
Restart your computer

Did you run Ad-Aware SE 1.05?
If not download it now and run the scan as previously instructed
Remember to restart your computer after you are done cleaning

PLEASE, Try and post back a Fresh hijackthis log in Normal Mode
I can't see everything when your in Safe mode

Try and do everything I asked from above, look it over carefully and print it out,
Do what you can, ALL if you can!!!!
« Last Edit: January 26, 2005, 12:18:34 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
CANY ANY1 HELP?
« Reply #5 on: January 27, 2005, 07:00:23 PM »
QUOTE  
(i just had to disconnect and reconnect cuz i had to turn my firewall on it somehow got turned off.) uninstalled spybot


I didnt download spyware doctor it was Spybot


DisabledTea Timer

IN SAFE MODE
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
DONE ALL OF THAT




C:\WINDOWS\System32\kxcddqojunj.exe <--file COULDNT FIND
c:\windows\system32\csmss32.exe <--file COULDNT FIND
C:\WINDOWS\xcz.exe <--file COULDNT FIND

C:\Program Files\Admanager Controller <--DELETED
C:\Program Files\AdStatus Service <--DELETED


O4 - HKLM\..\Run: [Microsoft Windows W32 Services] mssw32.exe  = NOT FOUND

O4 - HKLM\..\Run: [Microsoft Legacy Device] trass.exe  = NOT FOUND

O4 - HKLM\..\RunOnce: [sdkupdate22] SDK0mCORE.exe  = NOT FOUND

O4 - HKCU\..\Run: [Microsoft Windows W32 Services] mssw32.exe = NOT FOUND

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe = NOT FOUND

O4 - HKCU\..\RunOnce: [sdkupdate22] SDK0mCORE.exe  = NOT FOUND
O4 - HKCU\..\RunOnce: [Win32 DRK Driver] wdrk32.exe  = NOT FOUND
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] swwhost.exe  = NOT FOUND

These were not found. tried a few times. All of the rest were fixed though.

Done a clean up, didnt restart.
Disabled system restore, restarted and turned it back on, in normal mode.


Yeah i already run Ad-Aware SE 1.05. DONE ALL OF THIS BUT HAVE BEEN HAVING TROUBLE STAYING ON THE INTERNET as modem keeps kicking me off.

Here is my new hijackthis log

Logfile of HijackThis v1.99.0
Scan saved at 22:29:44, on 27/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\svphost.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [svphost.exe] C:\WINDOWS\system32\svphost.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Logged

Guest

  • Guest
CANY ANY1 HELP?
« Reply #6 on: January 27, 2005, 07:03:17 PM »
PRINTED UR INSTRUCTIONS OUT AND DID EVERYTHING STEP BY STEP.
ALSO DID TROJAN HUNTER AND CLEANED ONE TROJAN.

HOPE THIS WORKS
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
CANY ANY1 HELP?
« Reply #7 on: January 27, 2005, 07:21:50 PM »
Ok let's try this

So are you saying that you still have Spybot installed then????????
Leave it installed, it sounds like you do if you disabled the Tea Timer
Leave Tea Timer disabled for now

You mentioned earlier you uninstalled Spybot  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

I know you say you didn't download Spyware Doctor
I don't advise you do either, but however, this BHO we fixed earlier in your log is associated with Spyware Doctor, and it looks like it's been uninstalled
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
 http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

RESTART your computer into safe mode

Find and delete this file
C:\WINDOWS\system32\svphost.exe <--this file, don't confuse it with svchost.exe which is legit

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

O4 - HKCU\..\Run: [svphost.exe] C:\WINDOWS\system32\svphost.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Run Windows CleanUp again

Restart your computer back to Normal Mode and post a fresh hijackthis log
« Last Edit: January 27, 2005, 07:23:31 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
CANY ANY1 HELP?
« Reply #8 on: January 28, 2005, 02:40:21 PM »
http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />  sorry 4 confusing u so much. i did uninstall spybot, but i reinstalled it and then removed teatimer.

i think i also did previously install Spyware Doctor but i uninstalled it as i thought it contained viruses.

gona go delete
C:\WINDOWS\system32\svphost.exe <--this file, don't confuse it with svchost.exe

and gona fix
O4 - HKCU\..\Run: [svphost.exe] C:\WINDOWS\system32\svphost.exe

and ill Run Windows CleanUp and post u back a log in a min

cheers
Logged

Guest

  • Guest
CANY ANY1 HELP?
« Reply #9 on: January 28, 2005, 03:19:58 PM »
did everything. deleted this
C:\WINDOWS\system32\svphost.exe
found a file beside it called C:\WINDOWS\system32\svphostu.exe     is this a virus?

The computer is alot faster and feeling a lot better. thanks very much. cheers.  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />

heres my new log

Logfile of HijackThis v1.99.0
Scan saved at 19:07:53, on 28/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\system32\csmss32.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
CANY ANY1 HELP?
« Reply #10 on: January 28, 2005, 03:36:28 PM »
Quote
found a file beside it called C:\WINDOWS\system32\svphostu.exe is this a virus?
Nope, but it is a Trojan  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/ph34r.gif\' class=\'bbc_emoticon\' alt=\':ph34r:\' />

Yah, we have to get rid of that one,
Can you first Disable System Restore
This will clear all your Restore points and ensures you don't restore any nasties
Don't reenable it yet
How to Disable and Re-enable System Restore feature

Instead
Can you boot to safe mode

Find and delete these files

C:\WINDOWS\system32\svphostu.exe <--file
C:\windows\system32\csmss32.exe <--file, exact name

In safe mode do another scan with Hijackthis and fix this entry

O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe

Restart back to Normal mode >>Enable System Restore and post a fresh log, thanks

Concerning this entry in your log
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1

Did your Network or Domain set this? Just checking
« Last Edit: January 28, 2005, 03:48:36 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline irish-paddy

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +0/-0
    • View Profile
CANY ANY1 HELP?
« Reply #11 on: January 29, 2005, 04:46:14 PM »
'C:\windows\system32\csmss32.exe <--file, exact name'
Would not be deleted. Access was denied. I copied a similiar file (i.e. a file with a different name but had same symbol) and gave it the same name.

I then renamed the file to 'csmss32.exe'and pasted it into C:\windows\system32 and allowed it to overwrite.
Then i deleted it and emptied recycle bin. Im not sure if this will work or not will it?  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />

C:\WINDOWS\system32\svphostu.exe <--file deleted

Hijackthis entry
O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe
fixed

O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
What do u mean by, 'did ur network or domain set this?'   i use a home dell computer. i dont have a clue what 'O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1'  is.

once again thanks 4 all ur help and time

heres my new log

Logfile of HijackThis v1.99.0
Scan saved at 20:30:25, on 29/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
CANY ANY1 HELP?
« Reply #12 on: January 29, 2005, 05:08:20 PM »
Everything in your log looks good
Normally I see that 017 line address directed to your ISP or domain
Having it set to LocalHost will do no harm

Let's make sure that the file is gone>>I'm not exactly sure what you did
I hope you didn't rename a needed file, what file did you overwrite??????
Confusing me again http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Open Hijackthis>>Open Misc tools>>Click the Delete file on Reboot button

Copy and paste the bold line to the whole path of the file name box

C:\windows\system32\csmss32.exe

Click the Open button

If hijackthis prompts you that the file will be deleted and you must restart your computer

Restart your computer

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!

Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Hold onto Ad-Aware along with Spybot and check for updates every couple of weeks
A little added protection
Open Spybot>>Click on Immunization>>OK>>Immunize at the top
Do this after every update

Hold onto Windows CleanUp! and clean those temp folders, etc.. at least every couple of weeks

If you want to hold onto TDS-3 for the complete 30 days
Ensure you update the  latest RADIUS database before running a final scan
Bookmark this link and update from previous instructions>>This is up to you
Hold onto it or uninstall it
http://tds.diamondcs.com.au/index.php?page=update

The same goes for the TrojanHunter
You will want to manually update the Latest Ruleset before running a final scan
http://www.misec.net/trojanhunter/updating/
If it's the Trial version>>It's also good for 30 days
Be sure to shut down the TrojanGuard before uninstalling

How's everything running?
« Last Edit: January 29, 2005, 05:10:48 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline irish-paddy

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +0/-0
    • View Profile
CANY ANY1 HELP?
« Reply #13 on: January 29, 2005, 06:17:08 PM »
everything seems to be running great.
(although rundll32 'encountered an error and had to close' wheni restarted after i deleted C:\windows\system32\csmss32.exe in hijackthis>misc tools

-sorry 4confusing u again, i do that alot.
What i did was
>copied a file,
>pasted it (a copy of it) onto desktop,
>renamed it 'csmss32.exe'
>then cut and pasted it from desktop to c;windows/system32
>let it overwrite the old 'csmss32.exe'
>then deleted it.  
still confused?

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />

have just done everything
downloaded IE-SPYAD2.EXE
downloaded spywareblaster



 http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />    My computer and my new internet connection feels alot, lot lot lot safer now. Cheers!!!!!!!!!!!!!!!


p.s. i dont like trojan hunter as it never detected csmss32.exe
Logged

Guest_guestolo_*

  • Guest
CANY ANY1 HELP?
« Reply #14 on: January 29, 2005, 06:19:59 PM »
Can I see a fresh Hijackthis log please

I can't sign into the forum, so bare with me here if you see me signed in as a guest
Logged

Guest

  • Guest
CANY ANY1 HELP?
« Reply #15 on: January 29, 2005, 06:21:36 PM »
the rundll32 error, is that the whole error message?
Logged

Offline irish-paddy

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +0/-0
    • View Profile
CANY ANY1 HELP?
« Reply #16 on: January 29, 2005, 06:37:01 PM »
the problem only happened once
Logged

Offline irish-paddy

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +0/-0
    • View Profile
CANY ANY1 HELP?
« Reply #17 on: January 29, 2005, 06:40:33 PM »
it doesnt seem to be happening anymore

is that guestolo? 4give me if i dont send my log its just that u mightnt really be guestolo and ive (i mean guestolo has) put in too much hard work to let sum hacker do me in

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' />
Logged

Offline irish-paddy

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +0/-0
    • View Profile
CANY ANY1 HELP?
« Reply #18 on: January 29, 2005, 07:03:18 PM »
http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />   dont mean to offend u if that is u.

computer seems to be workin great.

wat wud u reccommend for a firewall??

i will also probably be downloading lots of music, and as i am a man with little money ill have to use a free one. wat would u recommend?

thanks again guestolo for all ur help...   http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Logged

Offline Josetann

  • admin
  • Administrator
  • Hero Member
  • *****
  • Posts: 10136
  • Karma: +0/-0
    • View Profile
CANY ANY1 HELP?
« Reply #19 on: January 29, 2005, 11:20:59 PM »
That is him, I upgraded the forum software and it took a while to get everything back to normal.
Logged
Pages: [1] 2 3 4
« previous next »