Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log: Please Diagnose


  • Please log in to reply
1 reply to this topic

#1 volpe

volpe

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 21 April 2005 - 02:50 PM

Hi, my first post here.
I'm having some troubles with spywares, here's my log, please help me!

Logfile of HijackThis v1.99.1
Scan saved at 21.33.02, on 21/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hwclock.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\SCardClnt.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Programmi\Winamp3\winampa.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\MSAOL32.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\CTSVCCD.EXE
C:\WINDOWS\System32\sscs.exe
C:\WINDOWS\System32\msnupdateit.exe
C:\WINDOWS\System32\svshost32.exe
C:\WINDOWS\System32\notes.exe
C:\WINDOWS\System32\MSAOL32.exe
C:\Programmi\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\sscs.exe
C:\WINDOWS\System32\msnupdateit.exe
C:\Programmi\Nikon\NkView6\NkvMon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: run=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmi\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKLM\..\Run: [Window_Protect] winsi32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MSN Messenger] msnmsgr.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [KAZAA] C:\Programmi\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\Run: [Media Software UPdater] sscs.exe
O4 - HKLM\..\Run: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\Run: [SYSTRAY] C:\UNMT.EXE
O4 - HKLM\..\Run: [svshost32] svshost32.exe
O4 - HKLM\..\Run: [notes] notes.exe
O4 - HKLM\..\RunServices: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKLM\..\RunServices: [Window_Protect] winsi32.exe
O4 - HKLM\..\RunServices: [MSN Messenger] msnmsgr.exe
O4 - HKLM\..\RunServices: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\RunServices: [Media Software UPdater] sscs.exe
O4 - HKLM\..\RunServices: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\RunServices: [svshost32] svshost32.exe
O4 - HKLM\..\RunServices: [notes] notes.exe
O4 - HKCU\..\Run: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKCU\..\Run: [Window_Protect] winsi32.exe
O4 - HKCU\..\Run: [MSN Messenger] msnmsgr.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Media Software UPdater] sscs.exe
O4 - HKCU\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKCU\..\Run: [Firewall Updater] msnupdateit.exe
O4 - HKCU\..\Run: [svshost32] svshost32.exe
O4 - HKCU\..\RunServices: [MSN Messenger] msnmsgr.exe
O4 - HKCU\..\RunServices: [svshost32] svshost32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Programmi\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programmi\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...bridge-c267.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3AC7551-69D4-4D74-A04D-9B8125C341A3}: NameServer = 85.37.17.11 151.99.125.1
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programmi\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:47 PM

Posted 22 April 2005 - 08:29 AM

I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files into that directory:

C:\WINDOWS\SYSTEM32\slserv.exe
C:\WINDOWS\System32\SCardClnt.exe
C:\WINDOWS\System32\hwclock.exe
c:\windows\system32\sscs.exe
c:\windows\system32\notes.exe
c:\windows\system32\svshost32.exe

To copy the files simply navigate to the directory they are in and right click on them and then click on copy. Then paste these files into the c:\submit directory. Once the files are all copied I need you to zip the folder and rename submit.zip to yourmembername.zip (for example grinler.zip). If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a compressed folder. You will now see a file called submit.zip. If you are using another version of Windows, please download a program called Winzip and zip it using that. Then go to http://www.bleepingcomputer.com/submit-malware.php fill in the required fields, and browse to the file. Then click on the Send File button.

Click on start, settings, control panel and double-click on add/remove programs. From with add/remove program uninstall the following if they exist:

Media Access

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: run=
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKLM\..\Run: [Window_Protect] winsi32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [MSN Messenger] msnmsgr.exe
O4 - HKLM\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\Run: [Media Software UPdater] sscs.exe
O4 - HKLM\..\Run: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\Run: [SYSTRAY] C:\UNMT.EXE
O4 - HKLM\..\Run: [svshost32] svshost32.exe
O4 - HKLM\..\Run: [notes] notes.exe
O4 - HKLM\..\RunServices: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKLM\..\RunServices: [Window_Protect] winsi32.exe
O4 - HKLM\..\RunServices: [MSN Messenger] msnmsgr.exe
O4 - HKLM\..\RunServices: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\RunServices: [Media Software UPdater] sscs.exe
O4 - HKLM\..\RunServices: [Firewall Updater] msnupdateit.exe
O4 - HKLM\..\RunServices: [svshost32] svshost32.exe
O4 - HKLM\..\RunServices: [notes] notes.exe
O4 - HKCU\..\Run: [Microsoft AOL Instant Messenger] MSAOL32.exe
O4 - HKCU\..\Run: [Window_Protect] winsi32.exe
O4 - HKCU\..\Run: [MSN Messenger] msnmsgr.exe
O4 - HKCU\..\Run: [Media Software UPdater] sscs.exe
O4 - HKCU\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKCU\..\Run: [Firewall Updater] msnupdateit.exe
O4 - HKCU\..\Run: [svshost32] svshost32.exe
O4 - HKCU\..\RunServices: [MSN Messenger] msnmsgr.exe
O4 - HKCU\..\RunServices: [svshost32] svshost32.exe
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...bridge-c267.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)


C:\Program Files\Media Access\
C:\UNMT.EXE
c:\windows\system32\svshost32.exe
c:\windows\system32\notes.exe
c:\windows\system32\MSAOL32.exe
c:\windows\system32\winsi32.exe
c:\windows\system32\sscs.exe
c:\windows\system32\CTSVCCD.EXE
c:\windows\system32\msnupdateit.exe
c:\windows\system32\msnmsgr.exe
c:\windows\system32\svshost32.exe



Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users