hijackthis log file. i dont know what to fix =/

[gerbino]

Logfile of HijackThis v1.99.1
Scan saved at 6:07:50 PM, on 3/6/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton\navapsvc.exe
C:\Program Files\Norton\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe
C:\Documents and Settings\riceboy\Application Data\rowi.exe
C:\WINDOWS\System32\n?lookup.exe
C:\Program Files\Norton\SAVScan.exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\0756269.DLL
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\riceboy\Desktop\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\Norton\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Win32 Network Driver] crss.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [PPPOEO] pingppac.exe
O4 - HKLM\..\RunServices: [Win32 Network Driver] crss.exe
O4 - HKLM\..\RunServices: [PPPOEO] pingppac.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SPYWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
O4 - HKCU\..\Run: [Win32 Network Driver] crss.exe
O4 - HKCU\..\Run: [Bpas] C:\Documents and Settings\riceboy\Application Data\rowi.exe
O4 - HKCU\..\Run: [Knn] C:\WINDOWS\System32\n?lookup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/au/games4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DC5E7C9-F471-440D-81B9-E84276470A59}: NameServer = 210.80.58.34 210.80.58.42
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton\AdvTools\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



please help =)

[guestolo]

Download the Pocket Killbox
UNZIP it to a folder of your choice

Save the rest of these instructions to a Notepad file on your desktop and then close down all other open Windows, including this one

Open Hijackthis>>Open Misc tools section>>Open Process Manager
Kill these processes if still running
C:\Documents and Settings\riceboy\Application Data\rowi.exe
C:\WINDOWS\System32\n?lookup.exe


Do another scan with Hijackthis and put a check next to these entries:

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Win32 Network Driver] crss.exe

O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [PPPOEO] pingppac.exe
O4 - HKLM\..\RunServices: [Win32 Network Driver] crss.exe
O4 - HKLM\..\RunServices: [PPPOEO] pingppac.exe

O4 - HKCU\..\Run: [Win32 Network Driver] crss.exe
O4 - HKCU\..\Run: [Bpas] C:\Documents and Settings\riceboy\Application Data\rowi.exe
O4 - HKCU\..\Run: [Knn] C:\WINDOWS\System32\n?lookup.exe

O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/au/games4.cab

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis


Run Pocket KillBox
click on Tools --> Select Delete Temp Files. Click OK.

In Killbox
At the main screen of Pocket Killbox, select the option: Replace on Reboot
Also tick Use Dummy
In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\System32\crss.exe

Press the button with a red circle and a white X
Click Yes to Replace
When asked if you would like to Reboot, select No.

Do the same for this one

C:\Documents and Settings\riceboy\Application Data\rowi.exe

Finally, in Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\System32\pingppac.exe

Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!
Restart your computer even if not prompted

Please try and restart into Safe mode, you can do this by tapping the F8 key on the keyboard as the system is booting up

In safe mode, Access your Add/Remove programs and remove if found
Preview AdService

Find and delete this folder
C:\Program Files\Preview AdService

Restart back to Normal mode
If prompted by any of your spyware removal tools about changes, allow them or we will have to disable them as to not interfere with our fixes

Back in Windows
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page


When the above has been completed, post back with a Fresh Hijackthis log

Could you also
===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS

Name the file as Export.bat
Save this file on the desktop

 

regedit /e NSLook.reg "C:\WINDOWS\System32\n?lookup.exe"

Double click on Export.bat and a new file will be created on your desktop called
NSLook.reg
Right click on it and left click EDIT
Copy and paste back that information please

Could you also let me know, beside Microsofts' Anti-Spyware software
and BulletProofs spyware software
What other spyware removal tools you have or used, thanks
Can you also let  me know if you paid for BulletProofs software, if not, don't

[gerbino]

what's killbox?  sorry mate.

[guestolo]

Just on my way to bed
It's a small utility that will help to remove some files that you have identified in your log

You can see in my first reply to you I supplied a link to Killbox
Make sure you Unzip this, don't try and run it within the Zipped archive

Simply click on Pocket Killbox
If the first line of my first reply to you, that's a direct link to the utility

[gerbino]

oops i just read the first line to your reply.  thnks again though - i'll let ya know how it goes.  cheers.

[gerbino]

Logfile of HijackThis v1.97.7
Scan saved at 7:25:23 PM, on 3/6/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton\navapsvc.exe
C:\Program Files\Norton\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe
C:\Program Files\Norton\SAVScan.exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\EA4997A9.DLL
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\Norton\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SPYWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DC5E7C9-F471-440D-81B9-E84276470A59}: NameServer = 210.80.58.34 210.80.58.42

have a good night mate.  thanks again for helpin' out

[guestolo]

You have not supplied the required information
I'll look at you next log once we have completed this one

I asked you to post back a fresh Hijackthis log
I didn't mean one from an old version of Hijackthis 1.97.7
I meant one from Hijackthis 1.99.1

I also asked you too include the contents of the file made by Export.bat

Also asked for information on BulletProofs software

When we get this log clean, I'll look at the next
Maybe try and go back and read everything I posted to you, not just bits and pieces
 http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

[gerbino]

hehe sorry about that.  guess i was too eager to get into bed i didnt follow all of your instructions.

well i got up to the saving the export.bat file to my desktop but everytime i click on it a command prompt window pops up for a split second then disappears.

i dont think an NSLook.reg was created on the desktop.

what should i do now?

have a good one!
gerbino

[guestolo]

Doh!!! Don't know what I was thinking
Delete Export.bat

NEXT
===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS

Name the file as Export.bat
Save this file on the desktop

dir C:\WINDOWS\System32\n?lookup.exe /a h > files.txt
notepad files.txt

Double click on Export.bat and a notepad file will open
Can you post the contents back here

Also, please post back a fresh Hijackthis log from version 1.99.1

Let me know about BulletProofs Spyware removal software, if you didn't pay for it uninstall it
It's bogus

[gerbino]

thanks for replying.  its heaps appreciated.

no i didnt pay for bulletproof's software.  i'll uninstall it after posting this reply.  here's the contents of the notepad file:

 Volume in drive C has no label.
 Volume Serial Number is B892-67B9

 Directory of C:\WINDOWS\System32

08/23/2001  11:00 PM            71,680 nslookup.exe
02/09/2005  01:32 AM           417,792 n?lookup.exe
               2 File(s)        489,472 bytes

 Directory of C:\Documents and Settings\riceboy\Desktop




and here's the log from v 1.99.1

Logfile of HijackThis v1.99.1
Scan saved at 7:17:28 PM, on 3/8/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton\navapsvc.exe
C:\Program Files\Norton\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe
C:\Program Files\Norton\SAVScan.exe
C:\Program Files\BulletProofSoft.com\SpywareRemover\B7E35047.DLL
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\riceboy\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\Norton\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SPYWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DC5E7C9-F471-440D-81B9-E84276470A59}: NameServer = 210.80.58.34 210.80.58.42
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton\AdvTools\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

cheers http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

[guestolo]

Log looks good
If you have removed Bulletproof

Run another scan with hijackthis and fix this entry if still around
O4 - HKCU\..\Run: [SPYWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\SpyWatch.exe /STARTUP

Restart the computer and delete this folder
C:\Program Files\BulletProofSoft.com

Also navigate to this folder
C:\WINDOWS\System32
Open it and look for this file
n?lookup.exe and delete it

CAREFUL
It may disguise as a legit file
As indicated here
08/23/2001 11:00 PM 71,680 nslookup.exe
02/09/2005 01:32 AM 417,792 n?lookup.exe

You want to delete this one
02/09/2005 01:32 AM 417,792 n?lookup.exe

May be name n?lookup.exe or have the same name as the legit
nslookup.exe
To ensure you have the right one, right click on the file and left click properties
Look for the bad guy that is about 417 kb in size and Creation date of 02/09/2005

Once that is done
If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Also ensure you are running a good firewall or at minimum have XP's firewall enabled
Only one firewall is needed
If your not running through a NAT Router

Why so far behind on Windows Updates? This is important on keeping your system secure
Just Criticals

If you want a couple great Spyware Removal software programs you can hang onto for free, along with Microsoft's Beta version
Check out the free versions of Spybot 1.3 and Ad-Aware SE Personal 1.05

[gerbino]

yeh i am heaps far behind on the updates huh?.  i'll do that when i get all this out of the way.

i cant seem to find

02/09/2005 01:32 AM 417,792 n?lookup.exe

i can find

08/23/2001 11:00 PM 71,680 nslookup.exe

easy done but the first one doesnt seem to be in that folder.  what does that mean?

thanks (again)

[gerbino]

sorry but how would i activate a firewall?