Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log Please Review


  • This topic is locked This topic is locked
17 replies to this topic

#1 Onlythebrave

Onlythebrave

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 17 March 2005 - 01:34 PM

Hi
My life was quite uncluttered until last night, daughter downloaded something from a "friend" on MSN, and now my computer life has collapsed. Have run my Norton Internet security, Spyware Nuker2005, but still cant get rid of Elite Toolbar and Slotch Bar, plus probably some other, I just dont recogise. Keep getting diverted, (to some very unsavoury site sometimes) so even this short message is taking forever to type!!
Would be very grateful if somebody out there could advise. :thumbsup:

Many thanks

Here is what Hijack This has found



Logfile of HijackThis v1.99.1
Scan saved at 18:04:00, on 17/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\userinit32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\regexpress.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\qttasks.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Apps\ActivBoard\OSD.exe
C:\Documents and Settings\Judy\My Documents\Spyware Nuker\Spyware Nuker 2004\swn2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\notepad.exe
C:\Documents and Settings\Judy\Local Settings\Temp\Temporary Directory 7 for HijackThis.zip\HijackThis.exe
C:\WINDOWS\System32\slserves.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.packardbell.co.uk/center
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Nortons AV SYSTEM] scvchost.exe
O4 - HKLM\..\Run: [Disk Manager] diskver.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [McAfee Windows Protection] mcafee32.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitelcw32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Nero] C:\WINDOWS\qttasks.exe /i
O4 - HKLM\..\Run: [Windows Registry Express Loader] regexpress.exe
O4 - HKLM\..\Run: [LsasS] Sygate.exe
O4 - HKLM\..\Run: [NAV Auto Updates] slserves.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe
O4 - HKLM\..\Run: [NECStartPage] C:\apps\HomePage\HomePgui.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Documents and Settings\Judy\My Documents\Spyware Nuker\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\RunServices: [Nortons AV SYSTEM] scvchost.exe
O4 - HKLM\..\RunServices: [Disk Manager] diskver.exe
O4 - HKLM\..\RunServices: [McAfee Windows Protection] mcafee32.exe
O4 - HKLM\..\RunServices: [Windows Registry Express Loader] regexpress.exe
O4 - HKLM\..\RunServices: [LsasS] Sygate.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserves.exe
O4 - HKLM\..\RunOnce: [Windows Registry Express Loader] regexpress.exe
O4 - HKCU\..\Run: [Nortons AV SYSTEM] scvchost.exe
O4 - HKCU\..\Run: [Disk Manager] diskver.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Registry Express Loader] regexpress.exe
O4 - HKCU\..\Run: [NAV Auto Updates] slserves.exe
O4 - HKCU\..\Run: [McAfee Windows Protection] mcafee32.exe
O4 - HKCU\..\RunOnce: [Windows Registry Express Loader] regexpress.exe
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe



Thanks for looking through this

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:57 PM

Posted 17 March 2005 - 02:55 PM

Hi there,

Hmmm.. do you ever update your antivirus?

* Download and install CCleaner
Do not use it yet.

*Hijackthis is still in your temp-folder, so I strongly advise to create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

* Open notepad and copy and paste next content in the white field in it:

@echo off

%systemdrive%
cd %WinDir%\system32
attrib -r -s -h elite*32.exe
del /q elite*32.exe

echo Merging registry.... 
echo REGEDIT4>c:\clear.reg
echo.>>c:\clear.reg
echo [-HKEY_CURRENT_USER\Software\LQ]>>c:\clear.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\ohbbackup]>>c:\clear.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Elitum]>>c:\clear.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>c:\clear.reg
echo "etbrun"=->>c:\clear.reg
regedit /s c:\clear.reg
del c:\clear.reg

Save this as elitefix.bat , choose save as *all files and save it on your desktop.
Don't use it yet!


* Please set your system to show
all files; please see here if you're unsure how to do this.


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O4 - HKLM\..\Run: [Nortons AV SYSTEM] scvchost.exe
O4 - HKLM\..\Run: [Disk Manager] diskver.exe
O4 - HKLM\..\Run: [McAfee Windows Protection] mcafee32.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitelcw32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Nero] C:\WINDOWS\qttasks.exe /i
O4 - HKLM\..\Run: [Windows Registry Express Loader] regexpress.exe
O4 - HKLM\..\Run: [LsasS] Sygate.exe
O4 - HKLM\..\Run: [NAV Auto Updates] slserves.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Documents and Settings\Judy\My Documents\Spyware Nuker\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\RunServices: [Nortons AV SYSTEM] scvchost.exe
O4 - HKLM\..\RunServices: [Disk Manager] diskver.exe
O4 - HKLM\..\RunServices: [McAfee Windows Protection] mcafee32.exe
O4 - HKLM\..\RunServices: [Windows Registry Express Loader] regexpress.exe
O4 - HKLM\..\RunServices: [LsasS] Sygate.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserves.exe
O4 - HKLM\..\RunOnce: [Windows Registry Express Loader] regexpress.exe
O4 - HKCU\..\Run: [Nortons AV SYSTEM] scvchost.exe
O4 - HKCU\..\Run: [Disk Manager] diskver.exe
O4 - HKCU\..\Run: [Windows Registry Express Loader] regexpress.exe
O4 - HKCU\..\Run: [NAV Auto Updates] slserves.exe
O4 - HKCU\..\Run: [McAfee Windows Protection] mcafee32.exe
O4 - HKCU\..\RunOnce: [Windows Registry Express Loader] regexpress.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


The next one, did you set this yourself? If not, check it too:

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

* Click on Fix Checked when finished and exit HijackThis.


* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.


Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\System32\userinit32.exe <== do not delete userinit.exe!!
C:\WINDOWS\System32\regexpress.exe
C:\Program Files\Media Access <== this folder
C:\WINDOWS\qttasks.exe
C:\windows\EliteToolbar or EliteSidebar <== this folder if present
C:\Documents and Settings\Judy\My Documents\Spyware Nuker <== this folder. (this is a so called spywareremover with a dubious reputation)

* Doubleclick on elitefix.bat. A doswindow will open and close again.. that is normal.

* Start Ccleaner and click Run Cleaner

* Reboot your system back to normal mode

* Perform an onlinescan with housecall and Etrust
Let it delete everything it's finding.

Reboot again and Post back a fresh HijackThis log and I'll take another look.

Edited by miekiemoes, 17 March 2005 - 02:56 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Onlythebrave

Onlythebrave
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 17 March 2005 - 04:56 PM

Hi Again

I have kept my Norton Internet security updated each week.

Had to wipe my Hard Disk last night, and stated from scratch.
But still had a lot of bad stuff on my computer.

Have followed your instructions, but could not get housecall or Etrust to work.

I ran Hijack this again and this is what I got


Logfile of HijackThis v1.99.1
Scan saved at 21:50:40, on 17/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\userinit32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Judy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.packardbell.co.uk/center
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe
O4 - HKLM\..\Run: [NECStartPage] C:\apps\HomePage\HomePgui.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitelcw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe


thanks

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:57 PM

Posted 17 March 2005 - 05:11 PM

Hello,

Looks better but... were you having some problems during the steps you had to take?
Did you follow all my instructions? Did you have any problems with elitefix.bat? Did you boot in safe mode when I asked you to?
It is important that you give feedback when something went wrong, so I have a better view on it..

Ok.. again..

* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitelcw32.exe


* Click on Fix Checked when finished and exit HijackThis.

Using Windows Explorer, locate the following folder and delete it:

C:\Program Files\Media Access <== this folder

* Doubleclick on elitefix.bat you made before. A doswindow will open and close again.

Now open hijackthis and click on "config"
Choose "misc Tools"
Click on: "Delete a file on reboot"
In the field, copy and paste:

C:\WINDOWS\System32\userinit32.exe (Make sure it is NOT userinit.exe!!)

Click open and hijackthis will ask you if you want the file deleted on next reboot and if you want to reboot now.. click Yes!

Your system will reboot now.

Post back a fresh HijackThis log and I'll take another look.

Try this onlinescan instead: http://www.pandasoftware.com/activescan/co...n_principal.htm
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Onlythebrave

Onlythebrave
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 17 March 2005 - 07:52 PM

hi

Ok so this is what I have now done.

I started up in safe mode, (I do not think I got to safe mode last time).And followed exactly as you said.
C:\Program files\Media Access are now in Recycle Bin (should I empty this?)

When I double clicked on eleitefix, it flashed on so quickly, I could not see it.
Everything else went as you said.

I also went to the pandasoftware site and did a scan. That came up with 7 found as follows:


Incident Status Location

Virus:W32/Sdbot.CHZ.worm No disinfected Operating system
Adware:Adware/PowerScan No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\WINDOWS\System32\ide21201.vxd
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\labud.exe
Adware:Adware/Atlas No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LAW0ENXL\offeragent[1].exe
Virus:Trj/Juntador.A Disinfected C:\WINDOWS\system32\msfwe1.exe
Virus:Trj/Drp.Juntador.B Disinfected C:\WINDOWS\system32\msua.exe
Virus:W32/Sdbot.CHZ.worm Disinfected C:\WINDOWS\system32\userinit32.exe




And this is Hijackthis number 3 scan



Logfile of HijackThis v1.99.1
Scan saved at 00:49:34, on 18/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijackthis\HijackThis\HijackThis.exe
C:\WINDOWS\System32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.packardbell.co.uk/center
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe
O4 - HKLM\..\Run: [NECStartPage] C:\apps\HomePage\HomePgui.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

Are we making much progress?

Must go now, will look for your reply tomorrow, or should I say latter today
Bye

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:57 PM

Posted 17 March 2005 - 08:13 PM

Yes, we did make some progress. Well done!! :D
Yes, that's why i thought that you didn't boot in safe mode the previous time, because that elite-key was still present in your log.

Ok.. now you have to check and fix next line in hijackthis again:

F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe

For the other files Panda couldn't delete... you have to delete them manually.

But first of all, I don't think you have Adaware SE installed.
Download the latest version of Ad-Aware:
http://www.lavasoft.de/support/download/

After installing AAW, and before running the program.
Please be sure to update the reference file following the instructions here:
http://www.lavahelp.net/howto/updref/

Now boot in safe mode again and delete the following files:

C:\WINDOWS\labud.exe
C:\WINDOWS\System32\ide21201.vxd

Still in safe mode.. Start Ccleaner (you downloaded previously) and click: Run cleaner.

Reconfigure Ad-Aware for Full Scan:

Launch the program, and click on the Gear at the top of the start screen.

Click the 'Scanning' button.
Under Drives, Folders and Files, select 'Scan within Archives'.
Click 'Click here to select Drives + folders' and select your installed hard drives.

Under Memory & Registry, select all options.
Click the 'Advanced' button.
Under 'Log-file detail level', select all options.
Click the 'Tweaks' button.

Under 'Scanning Engine', select the following:
'Unload recognized processes during scanning.'
Under 'Cleaning Engine', select the following:
'Let Windows remove files in use after reboot.'
Click on 'Proceed' to save these Preferences.

Run the Ad-Aware scan and allow it to remove everything it finds.

Reboot back to normal mode and post a last hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Onlythebrave

Onlythebrave
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 18 March 2005 - 03:59 AM

Good Morning

Have followed your instructions.

(not getting any interrutions now)

How is it looking?
When this is all done, can you tell me how to avoid such problems again(apart from downloading suspicious items in the first place!). I still have Norton Internet security 2004, have not yet updated to 2005 package. Obviously Norton is not enough? what should I get, install or buy, or are the ones you have taken me through enough to protect me?

Anyway back to the current situation

Here is the latest Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 08:49:12, on 18/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\notepad.exe
C:\Hijackthis\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.packardbell.co.uk/center
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

Thanks
must go to work now, will chack for any reply later today. :thumbsup:

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:57 PM

Posted 18 March 2005 - 04:19 AM

Good morning to you too.. well, if you get back from work, i have good news for you. That log looks clean again. :-)

How is it looking?
When this is all done, can you tell me how to avoid such problems again(apart from downloading suspicious items in the first place!). I still have Norton Internet security 2004, have not yet updated to 2005 package. Obviously Norton is not enough? what should I get, install or buy, or are the ones you have taken me through enough to protect me?


Well, to be honest with you, you are using norton and asking me if that is enough.. Hmm, my personal opinion is.. norton isn't good enough.
As you have seen, Panda did flag items that norton didn't. Also, norton can cause system slowdowns.
There are a lot of free antivirus and firewalls that are better.
AVG OR Avast are good FREE antivirus.
Zonealarm OR Sygate are FREE firewalls.

In here.. this is your own decision ofcourse. But if you are planning to use another antivirus and/or firewall, I strongly suggest you uninstall the ones that are on your system right now. Because everal together can give problems and decreases the reliability of it seriously!

I also see your windows isn't up to date. You don't have even SP1 installed.
You really need the updates and the security patches because now your system is extremely vulnerable and malware can be installed without any problems. So visit ASAP: http://windowsupdate.microsoft.com/ and install the updates.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you do an online virusscan once in a while. (housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Onlythebrave

Onlythebrave
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 18 March 2005 - 01:34 PM

Good Evening

I am so pleased to hear I have the all clear :thumbsup:
Many thanks for taking the time and going through this with me. I thought my computer was a lost cause!

So now does this mean I now have a "clean Hard Drive"

May I just ask you about some of your comments regarding what anti virus I should use in future.
I will try AVG or Avast antivirus and Zonealarm or Sygate as you mentioned(one or the other) Do these type of programs have regular updates?

When you say "I strongly suggest that you unistall the ones that are on your system right now" Do you mean my Norton Internet security that I had originally on my system or do you mean the ones I downloaded last night

As I wiped my Hard Drive on Wednesday Evening, and then re installed the original software, I only have installed the software that came with computer in 2002. I used to update frequently and all service packs were installed. However since I wiped my hard drive, I only have Windows XP with no updates. Before I contacted this forum I tried to connect to Windows Update to once again download all the updates I had lost, but kept getting error messages and could download nothing. Do you think this could be from all these viruses? or maybe I have more problems!!!

I will install spywareblaster as you suggest, so this will block viruses from getting into my computer in the first place (to replace useless Norton) and I presume this has updates for new threats as and when they are discovered in the future.
I did not know what ActiveX is, So if I see it I should always decline, I don't think I have in the past.!

While I am typing this, a message come up :

MESSAGE SERVICE
Message from warning to infected
Your computer is infected with spyware that normal antivirus cannot detect.
Are you getting popus and ads and you don't were thay are coming from?
Visit www.nixad.com to scan your computer.

Have I caught something else already?!

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:57 PM

Posted 18 March 2005 - 01:52 PM

When you say "I strongly suggest that you unistall the ones that are on your system right now" Do you mean my Norton Internet security that I had originally on my system or do you mean the ones I downloaded last night


I said... if you are planning to choose a new antivirus/firewall.
I don't know what you downloaded last night, but the thing i want to say in here is.. Do not install more than one antivirus and firewall on your system.

Hmmm. About that Message Service, most probably, this is because of the messenger service that isn't disabled on your system.
To disable it, go to start > run > type: services.msc
Search in that list you get for Messenger (this hasn't anything to do with the chatclient messenger.)
Doubleclick on it. In the window that will appear, click on "Stop" and change the Startup Type to disabled.
Click apply and OK and close all open windows.

Maybe it's better to post a last hijackthislog to be sure that everything is really gone.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Onlythebrave

Onlythebrave
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 18 March 2005 - 03:13 PM

Hi
When I said about the software I downloaded last night, I meant the programmes that you told me to download, adaware, panda etc etc. I can still have these on my computer yes?

I can now get into windows update, so will do that once I have got my new anti virus in place.

Okay here is the final Hijackthis scan

Logfile of HijackThis v1.99.1
Scan saved at 20:05:33, on 18/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Hijackthis\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.packardbell.co.uk/center
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ClickMe] C:\apps\ClickMe\ClickMe.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1111171723593
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

Thanks again for all your help and clear instructions.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:57 PM

Posted 18 March 2005 - 03:41 PM

Your log still looks clean. Did you disable the Messenger service now?

When I said about the software I downloaded last night, I meant the programmes that you told me to download, adaware, panda etc etc. I can still have these on my computer yes?


Panda is an online scanner, that isn't the same as a virusscanner that you install on your system. About antispywareprograms like adaware, spybot s&d, spysweeper... you can have as many as you want.

Good thing you can go to windowsupdate again. :D

How are things running now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Onlythebrave

Onlythebrave
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 18 March 2005 - 04:37 PM

Looks like it is running well, nothing unusual has popped up so looks like all is
well.
I will now uninstall Norton. Install recommedations. Get back to updates and then reload all my other software, so I should be done in a few days!!!

Thanks for your help, advice and patience :thumbsup:

#14 Onlythebrave

Onlythebrave
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:57 AM

Posted 18 March 2005 - 04:50 PM

Sorry I didn't answer your question, Yes I did disable messenger as you said above.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:57 PM

Posted 18 March 2005 - 04:55 PM

Glad I could help you.

Happy surfing again! :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users