Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with Hotoffers


  • This topic is locked This topic is locked
9 replies to this topic

#1 Hampus

Hampus

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 12 March 2005 - 04:05 PM

Let me start by saying, that you people at Bleepingcomputer are the best. You have helped me before, and I hope that you can do it again.
This hotoffers keeps coming back. Please help.


Logfile of HijackThis v1.99.1
Scan saved at 22:01:07, on 2005-03-12
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Norton Internet Security\ISSVC.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Spyware Doctor\spydoctor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\WinZip\WZQKPICK.EXE
C:\Program\Aluria Software\ASE\ASE Scheduler.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Petri Kljutschnik\Skrivbord\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.aftonbladet.se/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: ASE Scheduler.lnk = C:\Program\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Certificate Mover.lnk = C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O9 - Extra button: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program\MultiPoker\MultiPoker.exe
O9 - Extra 'Tools' menuitem: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program\MultiPoker\MultiPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {2481EC83-049B-44ED-8DA2-89668698B7F5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2481EC83-049B-44ED-8DA2-89668698B7F5} - (no file) (HKCU)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {1538D4E0-B2C4-402D-B71A-BA6A04BC7A5D} (PictureChooser.picChooser) - http://direct.fotomenyn.com/direct/PictureChooser.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104834554158
O16 - DPF: {65F77758-B822-45FB-8F0C-08E85705EC4A} (Upload.ctlUpload) - http://direct.fotomenyn.com/direct/upload.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O23 - Service: Aluria Spyware Eliminator Service (ASEService) - Unknown owner - C:\Program\ALURIA~1\ASE\ASEServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod-tjänst (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:35 PM

Posted 12 March 2005 - 09:15 PM

Hi there,

I can't see any traces of hotoffers in your log anymore, so i suppose you fixed the entries before in your hijackthislog before posting here.
But you're still complaining it's there.

So..

Download Silent Runners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Copy and paste the content of the txtfile you get afterwards in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Hampus

Hampus
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 13 March 2005 - 09:53 AM

"Silent Runners.vbs", revision 27, launched at: 15:50
Operating System: Windows XP


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program\Messenger\msmsgs.exe" /background" [MS]
"Spyware Doctor" = ""C:\Program\Spyware Doctor\spydoctor.exe" /Q" ["PCTools"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"notepad.exe" = "msmsgs.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"CARPService" = "carpserv.exe" ["Conexant Systems"]
"ATIPTA" = "C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"PreloadApp" = "c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d" [file not found]
"Display Settings" = "C:\Program\HPQ\Notebook Utilities\hptasks.exe /s" ["Hewlett-Packard"]
"QT4HPOT" = "C:\Program\HPQ\ONE-TO~1\OneTouch.EXE" ["Dritek System Inc."]
"Cpqset" = "C:\Program\HPQ\Default Settings\cpqset.exe" [null data]
"AdaptecDirectCD" = ""C:\Program\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"QuickTime Task" = ""C:\Program\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SSC_UserPrompt" = "C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"ccApp" = ""C:\Program\Delade filer\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\Program\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"ControlPanel" = "C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile" [file not found]
"MSN Messenger" = "C:\WINDOWS\System32\msmsgs.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop Handler"
-> resolves to: {CLSID}\InprocServer32\(Default) = C:\WINDOWS\System32\systr.dll [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"PostBootReminder" = "{7849596a-48ea-486e-8937-a2a3009f31a9}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"CDBurn" = "{fbeb8a05-beee-4442-804e-409d6c4515e9}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\System32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\System32\stobject.dll" [MS]


Startup items in "Petri Kljutschnik" & "All Users" startup folders:
-------------------------------------------------------------------

C:\Documents and Settings\Petri Kljutschnik\Start-meny\Program\Autostart
"ASE Scheduler" -> shortcut to: "C:\Program\Aluria Software\ASE\ASE Scheduler.exe" ["Aluria Software, LLC"]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart
"Adobe Gamma Loader" -> shortcut to: "C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Certificate Mover" -> shortcut to: "C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe" ["SmartTrust"]
"D-Link AirPlus" -> shortcut to: "C:\Program\D-Link AirPlus\AirPlus.exe" ["D-Link"]
"Microsoft Office" -> shortcut to: "C:\Program\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"WinZip Quick Pick" -> shortcut to: "C:\Program\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Petri Kljutschnik" -> launches: "C:\Program\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Automatic Updates, wuauserv, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wuauserv.dll" [MS]}
COM+ Event System, EventSystem, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\es.dll" [MS]}
Computer Browser, Browser, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\browser.dll" [MS]}
Cryptographic Services, CryptSvc, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\cryptsvc.dll" [MS]}
DHCP Client, Dhcp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\dhcpcsvc.dll" [MS]}
Distributed Link Tracking Client, TrkWks, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\trkwks.dll" [MS]}
DNS Client, Dnscache, "C:\WINDOWS\System32\svchost.exe -k NetworkService" {"C:\WINDOWS\System32\dnsrslvr.dll" [MS]}
Error Reporting Service, ERSvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ersvc.dll" [MS]}
Event Log, Eventlog, "C:\WINDOWS\system32\services.exe" [MS]
Fast User Switching Compatibility, FastUserSwitchingCompatibility, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
Help and Support, helpsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
HP Configuration Interface Service, HPConfig, "C:\WINDOWS\system32\HPConfig.exe" ["Hewlett-Packard"]
HPWirelessMgr, HPWirelessMgr, "C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe" ["Hewlett-Packard Co."]
Infrared Monitor, Irmon, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\irmon.dll" [MS]}
IPSEC Services, PolicyAgent, "C:\WINDOWS\System32\lsass.exe" [MS]
ISSvc, ISSVC, "C:\Program\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"]
Messenger, Messenger, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\msgsvc.dll" [MS]}
Network Connections, Netman, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\netman.dll" [MS]}
Network Location Awareness (NLA), Nla, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mswsock.dll" [MS]}
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Plug and Play, PlugPlay, "C:\WINDOWS\system32\services.exe" [MS]
Portable Media Serial Number, WmdmPmSp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mspmspsv.dll" [MS]}
Print Spooler, Spooler, "C:\WINDOWS\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINDOWS\system32\lsass.exe" [MS]
Remote Access Connection Manager, RasMan, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "C:\WINDOWS\system32\svchost -k rpcss" {"C:\WINDOWS\system32\rpcss.dll" [MS]}
Secondary Logon Service, seclogon, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\seclogon.dll" [MS]}
Security Accounts Manager, SamSs, "C:\WINDOWS\system32\lsass.exe" [MS]
Server, lanmanserver, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\srvsvc.dll" [MS]}
Shell Hardware Detection, ShellHWDetection, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
SmartTrust Smart Card Server, Smartscaps, "C:\WINDOWS\system32\Smartscaps.exe service" ["SmartTrust"]
SSDP Discovery Service, SSDPSRV, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\ssdpsrv.dll" [MS]}
Symantec Core LC, Symantec Core LC, "C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program\Delade filer\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
System Event Notification, SENS, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\sens.dll" [MS]}
Task Scheduler, Schedule, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\schedsvc.dll" [MS]}
TCP/IP NetBIOS Helper, LmHosts, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\lmhsvc.dll" [MS]}
Telephony, TapiSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\tapisrv.dll" [MS]}
Terminal Services, TermService, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\termsrv.dll" [MS]}
Themes, Themes, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
Upload Manager, uploadmgr, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
WebClient, WebClient, "C:\WINDOWS\System32\svchost.exe -k LocalService" {"C:\WINDOWS\System32\webclnt.dll" [MS]}
Windows Audio, AudioSrv, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\audiosrv.dll" [MS]}
Windows Management Instrumentation, winmgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wbem\WMIsvc.dll" [MS]}
Windows Time, W32Time, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\w32time.dll" [MS]}
Wireless Zero Configuration, WZCSVC, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wzcsvc.dll" [MS]}
Workstation, lanmanworkstation, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\wkssvc.dll" [MS]}

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:35 PM

Posted 13 March 2005 - 10:25 AM

Hello,

Open notepad and copy and paste next content in the white field in it:
(do not copy the word 'code' above in it)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12345678-0000-0010-8000-00AAFF6D2EA4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{12345678-0000-0010-8000-00AAFF6D2EA4}"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

Save this as fix.reg
Choose to save as *all files and place it on your desktop.
Don't use it yet.

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab


Extra note.. I see you are using Aluria Spyware Eliminator.. Well, as a matter of fact, this company is now working together with WhenU.. known for the distribution of adware (spyware)
So, that's why i suggest to uninstall it if still present on your system and fix the next line in hijackthis too:

O23 - Service: Aluria Spyware Eliminator Service (ASEService) - Unknown owner - C:\Program\ALURIA~1\ASE\ASEServ.exe

* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`:

°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.


* Using Windows Explorer, locate the following files and delete them:

C:\WINDOWS\System32\msmsgs.exe
C:\WINDOWS\System32\systr.dll

* Doubleclick on fix.reg that is on your desktop and answer yes when asked if you want to add the contents to the registry.

* Reboot your system back to normal mode

Post back a fresh HijackThis log and I'll take another look.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Hampus

Hampus
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 13 March 2005 - 11:46 AM

I wasn´t able to delete systr.dll.
I couldn´t import the fix.reg bacause it´s not a registerscript. I can only import binary registerfiles from the registereditor.

Logfile of HijackThis v1.99.1
Scan saved at 17:45:48, on 2005-03-13
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Norton Internet Security\ISSVC.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\Program\Messenger\msmsgs.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Spyware Doctor\spydoctor.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\D-Link AirPlus\AirPlus.exe
C:\Program\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Petri Kljutschnik\Skrivbord\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/228/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.aftonbladet.se/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Certificate Mover.lnk = C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O9 - Extra button: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program\MultiPoker\MultiPoker.exe
O9 - Extra 'Tools' menuitem: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program\MultiPoker\MultiPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {2481EC83-049B-44ED-8DA2-89668698B7F5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2481EC83-049B-44ED-8DA2-89668698B7F5} - (no file) (HKCU)
O16 - DPF: {1538D4E0-B2C4-402D-B71A-BA6A04BC7A5D} (PictureChooser.picChooser) - http://direct.fotomenyn.com/direct/PictureChooser.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104834554158
O16 - DPF: {65F77758-B822-45FB-8F0C-08E85705EC4A} (Upload.ctlUpload) - http://direct.fotomenyn.com/direct/upload.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod-tjänst (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:35 PM

Posted 13 March 2005 - 12:05 PM

Hmmm..

I wasn´t able to delete systr.dll.
I couldn´t import the fix.reg bacause it´s not a registerscript. I can only import binary registerfiles from the registereditor.


Did you save it in notepad? Not wordpad!
Did you copy and paste the word REGEDIT4 in it?

Ok, again..

Open NOTEPAD and copy and paste next in bold into it:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12345678-0000-0010-8000-00AAFF6D2EA4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{12345678-0000-0010-8000-00AAFF6D2EA4}"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]


Save this as fix2.reg , choose to save as *all files and place it on your desktop.
Don't use it yet.

Now,
* Download and unzip Killbox to your desktop.
Click killbox.exe.
Select the option "Delete on reboot".
In the field labeled "Full Path of File to Delete" copy and paste next:

C:\WINDOWS\System32\systr.dll

Select: "Unregister DLL Before Deletion"
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES

Your system will reboot now.

* Doubleclick on fix2.reg that is on your desktop and answer yes when asked if you want to add the contents to the registry.

* Start hijackthis and check and fix this line again:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/228/

Reboot again and post a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Hampus

Hampus
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 14 March 2005 - 04:20 AM

Logfile of HijackThis v1.99.1
Scan saved at 10:16:51, on 2005-03-14
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Norton Internet Security\ISSVC.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Spyware Doctor\spydoctor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\D-Link AirPlus\AirPlus.exe
C:\Program\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Petri Kljutschnik\Skrivbord\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.aftonbladet.se/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [Display Settings] C:\Program\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Certificate Mover.lnk = C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O9 - Extra button: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program\MultiPoker\MultiPoker.exe
O9 - Extra 'Tools' menuitem: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - C:\Program\MultiPoker\MultiPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {2481EC83-049B-44ED-8DA2-89668698B7F5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2481EC83-049B-44ED-8DA2-89668698B7F5} - (no file) (HKCU)
O16 - DPF: {1538D4E0-B2C4-402D-B71A-BA6A04BC7A5D} (PictureChooser.picChooser) - http://direct.fotomenyn.com/direct/PictureChooser.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104834554158
O16 - DPF: {65F77758-B822-45FB-8F0C-08E85705EC4A} (Upload.ctlUpload) - http://direct.fotomenyn.com/direct/upload.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod-tjänst (iPodService) - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:35 PM

Posted 14 March 2005 - 04:43 AM

Hi Hampus,

I suppose Microsoft AntispywareHelper is not longer present on your system, so check and fix next lines in hijackthis too:

O9 - Extra button: Microsoft AntiSpyware helper - {2481EC83-049B-44ED-8DA2-89668698B7F5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2481EC83-049B-44ED-8DA2-89668698B7F5} - (no file) (HKCU)


Your log looks clean again!! No more Hotoffers-startpage? How are things running now?

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you do an online virusscan once in a while. (housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Hampus

Hampus
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 14 March 2005 - 08:57 AM

The hotoffer startpage is gone, my cpu is running as usual (slow) :thumbsup: . I want to thank you for your help with this. Hopefully I will not get my computer infected again, but if it will I know who I will ask for help. You are the best....

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:35 PM

Posted 14 March 2005 - 01:04 PM

Glad I could help you.

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users