Author Topic: Thanks Guestolo ! (Read 1292 times)

Guest_Daniel_* · « **on:** May 15, 2005, 07:16:18 PM »

Hi Im not very good at computers and saw your help about the clicksearchclick.com virus. I know I not allowed to post a new message here but I couldn´t register. Is there a way to get rid of the virus. I downloaded the Hijackthis program and have a logfile if you want to see it!

Thanks..

guestolo · « **Reply #1 on:** May 15, 2005, 07:43:39 PM »

Why can't your Register, what is the problem???

First go clear all your Cache and cookies
Then restart your browser
Come back to this post

What happens when you click on this link
http://www.thetechguide.com/forum/index.php?act=Reg&CODE=00

Remember to check the I AGREE

Guest_Daniel_* · « **Reply #2 on:** May 15, 2005, 08:10:35 PM »

Never mind, so are you saying you always have to start another topic

That's weird
Go ahead and post a hijackthis log and let me see what's going on
~guestolo~

Guest_Daniel_* · « **Reply #3 on:** May 15, 2005, 08:22:07 PM »

Logfile of HijackThis v1.99.1
Scan saved at 03:20:15, on 2005-05-16
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program\Analog Devices\SoundMAX\Smtray.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\System32\MMTray.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\Delade filer\CMEII\CMESys.exe
C:\Program\D-Link\AirPlus G\AirGCFG.exe
C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\Delade filer\GMT\GMT.exe
C:\Program\PrecisionTime\PrecisionTime.exe
C:\Program\Delade filer\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\TightVNC-unstable\WinVNC.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Trillian\trillian.exe
C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE
C:\Program\Winamp\winamp.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\Program\DashBar\DashBar17.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program\TightVNC-unstable\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program\Delade filer\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SECURITY.EXE
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program\Delade filer\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Påminnelser för Kalendern i Microsoft Works.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .mov: C:\Program\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program\TightVNC-unstable\WinVNC.exe" -service (file missing)

guestolo · « **Reply #4 on:** May 15, 2005, 08:32:53 PM »

How did you post back to this thread???

Do the following and then get back to me in this thread
Try and register after we do these fixes

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
When installing, it may update, but double check anyways
Don't run a scan yet

After that

Download and Install Spybot S&D 1.3
Don't activate the Tea Timer when installing, it's a great feature but can get in the way
of any fixes we may still have to do
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and download all updates
Again, don't run a scan yet, but ensure it is up to date

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
Install for now, don't run a scan yet

Now for some auto fixes
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

In safe mode
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off

Instead
Open Ad-Aware SE
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process
Please Restart your computer back to SAFE MODE when restarting

Back in Windows
Open Spybot
Click the Search & Destroy button on the left
Check for Problems on the right---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish the cleaning process
This time Restart back to Normal mode

You shouldn't have a problem registering to the forum after that
Do So as it is a requirement
Do a fresh scan with Hijackthis and post a new log

If you still have problems signing in
I would recommend that you try a different browser

I use Mozilla Firefox all the time
It's free and more secure
Look here
http://www.mozilla.org/

Click the Free Download near the top left

Guest_Daniel_* · « **Reply #5 on:** May 15, 2005, 08:51:05 PM »

Thanks alot for your help. now it seems that I can reply. I dont know why it works now.

I have succeded to download all the files but not the windows cleanup file. When I click at the link you gave me the virus put a stop to it.

Is there another way to get the program?

guestolo · « **Reply #6 on:** May 15, 2005, 08:58:46 PM »

Go back up and try the link I supplied to register to the forum
Then post back

Also try Firefox and see if you can download CleanUp!
Consider Firefox as a backup browser, in case Internet Explorer is ever hijacked or not connecting

Daniel, there is a reason I ask you too register, one is
A better chance you will post back if your registered

My biggest reason however
As a registered user>>Which is free to sign up
If you ever come back here in the future and need assistance again
I can search for your old posts and see if anything related in the past could help me out

As a guest, I can't search for your user name

Guest_Daniel_* · « **Reply #7 on:** May 15, 2005, 09:07:27 PM »

Now I could register but not log in. This message comes up:

Sorry, an error occurred. If you are unsure on how to use a feature, or don't know why you got this error message, try looking through the help files for more information.

The error returned was:
You must enter a username

And I wrote my username!

It is DanielBroman.

DanielBroman · « **Reply #8 on:** May 16, 2005, 07:39:09 AM »

Thankyou Guestolo for all your help yesterday.

This morning I followed your instructions and my computer is working well again.

Take care / Daniel

guestolo · « **Reply #9 on:** May 16, 2005, 07:51:41 AM »

Daniel, now that your signed up and ran the programs I mentioned

You should post another fresh Hijackthis log to your other thread, or here

Let's make sure nothing is still lurking

I won't be able to see it until I get off work, but it's still a good idea to post a final log

DanielBroman · « **Reply #10 on:** May 16, 2005, 10:30:51 AM »

Logfile of HijackThis v1.99.1
Scan saved at 17:29:13, on 2005-05-16
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program\Analog Devices\SoundMAX\Smtray.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\System32\MMTray.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\D-Link\AirPlus G\AirGCFG.exe
C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\TightVNC-unstable\WinVNC.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Trillian\trillian.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program\TightVNC-unstable\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SECURITY.EXE
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .mov: C:\Program\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program\TightVNC-unstable\WinVNC.exe" -service (file missing)

What do you think, does it look ok?

guestolo · « **Reply #11 on:** May 16, 2005, 09:21:25 PM »

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SECURITY.EXE

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer

Find and delete this folder if found
C:\WINDOWS\System32\Services <-this folder

Run another scan with hijackthis and post a fresh log

roofy · « **Reply #12 on:** May 17, 2005, 01:15:38 AM »

The reason why you can not log-in, is because of these 2 registries
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SECURITY.EXE

which is running this service...
C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE

I know of this file becuase I had a virus simular to this. The difference in mine was that I didn't have the security.exe file. Instead I just had the SVCHOST.EXE file and its dll files. How I was able to post my situation though, was becuase I know how to use the MSCONFIG tool, and I know what files are safe to disable at startup.

Symptons
This type virus is known to block people from running online virus scans. This is done by when you click on the link thinking you are being directed to the free online scan, but instead it redirects you to www.clicksearchclick.com site.

So either guestolo is going to have to understand that this type virus is not going to allow you to log-in to this fourum, or you could get a head start in removing at least this virus by tring this possible chance as follows...

Run Hijackthis again, and put a checkmark on the following bold entries...

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/

O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE

O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SECURITY.EXE

Then after checking the above, make sure that all other windows are closed except for Hijackthis, and then click on FIX CHECKED

click ok to the prompt and then exit Hijackthis

Next, reopen Hijackthis, but this time open the misc. tools section. Then click on delete a file on reboot and browse and select the file down below in this location...

C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE

Then click on open and then click on the reboot button at the Hijackthis prompt. However, you want to this time to boot in safe mode. You can do this by holding the f8 key before the WindowsXP logo comes up. You will know you did it right by instead of windows booting, you get a bunch of optons to choose from. What you want to choose is just the words "safe mode". When the welcome screen pops up, select your user name that you use to login to windows. Next
if you get a warning message saying that you are in safe mode, just click on ok. Then you will want to locate the folder down below and delete it.

C:\WINDOWS\System32\ Services <- just this folder that is in bold

After that you will want to reset you browser startup page to your original startup page that you like using. You can do this by going to Start->Control Panel. Once the control panel loads, click on internet and network connections and then click on internet options. At the top of the Internet Options dialog box, there is a setting where you can type in what you want your startup page to be. For example, if you like going to www.google.com most frequently, then you would type in www.google.com in the startup text box. You can name it what ever valid url you want but you don't want it to say www.clicksearchclick.com

Then reboot the computer in normal mode, and this should clear the problem of not being able to log-in to this site. Though before you do come back, I would suggest doing another Hijackthis scan and posting the fresh log back in here so that guestolo can finish helping you.

Also, I hope that guestolo or any other moderator in here doesn't take my post in the wrong way. It is just that I thought it wasn't fair for that this person couldn't get the help becuase the virsus that he/she has is hijacking his/her browser from logging in. In addition, my instructions that I have posted in here are the same to what guestolo showed me on what to do by getting rid of this virus. The only differnce is, I disabled the startup of this virus before posting my question when I needed the help and maybe thats why guestolo didn't know why you couldn't login.

guestolo · « **Reply #13 on:** May 17, 2005, 09:00:24 AM »

Thanks for the input Roofy

But we carried on HERE

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

roofy · « **Reply #14 on:** May 17, 2005, 10:36:50 AM »

oops sorry about that. I was getting kind of confused considering that Daniel had so many posts. I have been reading other topics looking to see if there is a pattern to these viruses. The reason being is I like to see if I could build a program that could help others. The only pattern that I see is that the viruses are writting a startup key in the registery. I am thinking building a registery key monitor that allows users not have to post there logs. However this would be complicated becuase if someone doesn't know what there doing they could do more harm then what the virus did. I would need to build a definition list of either what are valid registery keys or what might be safer is finding a way that I can get my hands a definition list of all the possible bad registry keys. Sort of just like how spywareblaster has a definition list of all the bad urls and places them in the users restricted zone.

DanielBroman · « **Reply #15 on:** May 18, 2005, 05:58:15 PM »

Thanks again for the help. Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 00:56:44, on 2005-05-19
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program\Analog Devices\SoundMAX\Smtray.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\System32\MMTray.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\Program\D-Link\AirPlus G\AirGCFG.exe
C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\TightVNC-unstable\WinVNC.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Messenger\msmsgs.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program\TightVNC-unstable\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .mov: C:\Program\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program\TightVNC-unstable\WinVNC.exe" -service (file missing)

guestolo · « **Reply #16 on:** May 18, 2005, 09:07:05 PM »

I merged these 2 topics together

Deleted a couple also

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

It was getting confusing earlier, but I understand it was not your fault

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

TheTechGuide Forum

News:

Author Topic: Thanks Guestolo ! (Read 1292 times)

Guest_Daniel_*

Thanks Guestolo !

guestolo

Thanks Guestolo !

Guest_Daniel_*

Thanks Guestolo !

Guest_Daniel_*

Thanks Guestolo !

guestolo

Thanks Guestolo !

Guest_Daniel_*

Thanks Guestolo !

guestolo

Thanks Guestolo !

Guest_Daniel_*

Thanks Guestolo !

DanielBroman

Thanks Guestolo !

guestolo

Thanks Guestolo !

DanielBroman

Thanks Guestolo !

guestolo

Thanks Guestolo !

roofy

Thanks Guestolo !

guestolo

Thanks Guestolo !

roofy

Thanks Guestolo !

DanielBroman

Thanks Guestolo !

guestolo

Thanks Guestolo !