Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijackthis log


  • This topic is locked This topic is locked
13 replies to this topic

#1 gooner

gooner

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 15 June 2005 - 04:28 AM

please can somebody help me know which files to delete and which to keep in this hijack this log. many thanks in adavanced gooner

Logfile of HijackThis v1.99.1
Scan saved at 23:33:00, on 14/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svhost.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\Services\{39A94D0B-01F4-4AA9-B13A-37A6AC9CBAFC}\SVCHOST.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\waol.exe
C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe
C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\GoZilla\ZipZilla\zipzilla.exe
C:\WINDOWS\System32\msipcsv.exe
C:\DOCUME~1\keith\LOCALS~1\Temp\hijackthis.zip\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=9
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
F3 - REG:win.ini: run=C:\WINDOWS\System32\svhost.exe
O2 - BHO: IEHlprObj Class - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\GoZilla\GoIEHlp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [System backup] C:\WINDOWS\System32\msxmidi.exe
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\igrp8obdihmfh3thd.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{39A94D0B-01F4-4AA9-B13A-37A6AC9CBAFC}\SVCHOST.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{39A94D0B-01F4-4AA9-B13A-37A6AC9CBAFC}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [quicken] C:\WINDOWS\waol.exe
O4 - HKCU\..\Run: [System backup] C:\WINDOWS\System32\msxmidi.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: MSupdater.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {03F9323E-8261-456B-AAA7-BB9AD0382835} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {03F9323E-8261-456B-AAA7-BB9AD0382835} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {0E02B4D4-C42B-4946-BB13-51557B53D694} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0E02B4D4-C42B-4946-BB13-51557B53D694} - (no file) (HKCU)
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...512/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A8605B6-6667-4AA9-B7EF-C81218303ABD}: NameServer = 194.168.4.100 194.168.8.100
O20 - AppInit_DLLs: igtcmmx5h1rg.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SpywareCleanerService - Secure Computer, LLC - C:\Program Files\Spyware Cleaner\SCService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


m

#2 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:03:34 AM

Posted 15 June 2005 - 10:55 AM

Welcome to the forum. You have a lot of bad things going on in your log.

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
  • Uninstall SpywareCleaner through the control panel and add/remove programs
  • Download CCleaner from here, install it, but don't run it yet.
  • Prepare CWShredder for use:
    • Download CWShredder.
    • Save CWShredder.exe to a convenient location.
    • Please do not do anything with it yet.
  • Prepare AboutBuster for use:
    • Download AboutBuster.
    • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
    • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
    • Click "OK" at the prompt with instructions.
    • Click "Update" and then "Check For Update" to begin the update process.
    • If any updates exist please download them by clicking "Download Update".
    • You should not run the program yet so click "Exit".
  • Prepare cwsserviceremove.reg for use:
    • Download cwsserviceremove.zip.
    • Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.
    • Please do not do anything with it yet.
Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.
  • Run CWShredder:
    • Double-click on CWShredder.exe.
    • Click "Fix ->" and click "OK" at the prompt.
    • CWShredder will scan and clean your system of CWS files.
    • Click "Next->" and then "Exit".
  • Remove the offending service:
    • Double-click on cwsserviceremove.reg you downloaded earlier.
    • When it asks you to merge the information to the registry click "Yes".
  • Run AboutBuster and save the logs:
    • Browse to where you saved AboutBuster and run AboutBuster.exe.
    • Click OK at the directions prompt.
    • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
    • Click Yes to allow it to shutdown explorer.exe.
    • It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
    • When it has finished, click Save Log. Make sure you save it as I need a copy of it.
  • Now choose "run" Ccleaner:
    • When it finishes, just exit.
  • Restart your computer normally to return to normal mode.
  • Free TrendMicro Housecall scan:
    • Vist the TrendMicro Housecall website.
    • Select your country from the drop-down list and click "Go".
    • Choose "Yes" at the ActiveX Security Warning prompt.
    • Please wait while the Housecall engine is updated.
    • Select the drives to be scanned by placing a check in their respective boxes.
    • Check the "Auto Clean" box.
    • Click "SCAN" in order to begin scanning your system.
    • Please be patient while Housecall scans your system for malicious files.
    • If not auto-cleaned, remove anything it finds.
    • Click "Close" to exit the Housecall scanner.
    • Choose "Yes" at the HouseCall message prompt.
  • Please download, install, update and scan your system with the free version of Ewido trojan scanner:
    • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    • From the main ewido screen, click on update in the left menu, then click the Start update button.
    • After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
    • If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
    • When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.
  • Prepare your reply:
    • Please post a fresh HijackThis log
    • Please post the AboutBuster log.
    • Ewido report
    • Please note any complications you had.


#3 gooner

gooner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 16 June 2005 - 05:59 AM

thanks vic i will do as you say and post back all logs you asked for once again many thanks

#4 gooner

gooner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 17 June 2005 - 05:24 PM

hi viccy i did as you suggested and my computer is loads better.but alas i still get pop ups. when i ran cwshredder.exe and clicked fix and ok shredder started to scan and rebooted my computer on it own. I was not sure this was supposed to happen. so i restarted again in safe mode and carried on with using cwsserviceremove.reg and completed you instructions from there.

Here are the requested logs. once again many thanks!!!


Logfile of HijackThis v1.99.1
Scan saved at 23:09:54, on 17/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\keith\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O2 - BHO: IEHlprObj Class - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\GoZilla\GoIEHlp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{39A94D0B-01F4-4AA9-B13A-37A6AC9CBAFC}\SECURITY.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [quicken] C:\WINDOWS\waol.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [editpad] C:\WINDOWS\editpad.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...512/mcfscan.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)









about buster log


AboutBuster 5.0 reference file 30
Scan started on [17/06/2005] at [21:50:50]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 21:51:10


AboutBuster 5.0 reference file 30
Scan started on [17/06/2005] at [22:04:52]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 22:05:14


ewido report

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 22:38:54, 17/06/2005
+ Report-Checksum: 8C091887

+ Date of database: 17/06/2005
+ Version of scan engine: v3.0

+ Duration: 16 min
+ Scanned Files: 43701
+ Speed: 43.95 Files/Second
+ Infected files: 27
+ Removed files: 27
+ Files put in quarantine: 27
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\RCX12.tmp -> TrojanDownloader.Small.asy -> Cleaned with backup
C:\RCX13.tmp -> TrojanDownloader.Small.asy -> Cleaned with backup
C:\RCX14.tmp -> TrojanDownloader.Small.asy -> Cleaned with backup
C:\RCX21.tmp -> TrojanDownloader.Small.asy -> Cleaned with backup
C:\RCX23.tmp -> TrojanDownloader.Small.asy -> Cleaned with backup
C:\RCX24.tmp -> TrojanDownloader.Small.asy -> Cleaned with backup
C:\RCX28.tmp -> TrojanDownloader.Small.asy -> Cleaned with backup
C:\WINDOWS\htpatch.exe -> Not-A-Virus.Tool.HTPatch.a -> Cleaned with backup
C:\WINDOWS\itshta.exe -> Trojan.Small.cr -> Cleaned with backup
C:\WINDOWS\msxmidi.exe -> TrojanDownloader.Small.asy -> Cleaned with backup
C:\WINDOWS\Q824145.exe -> TrojanDownloader.Winshow.W -> Cleaned with backup
C:\WINDOWS\system32\39do7ngzi77h0e.dll -> TrojanDownloader.Small.rr -> Cleaned with backup
C:\WINDOWS\system32\3i61hepl5y2.dll -> Trojan.Krepper.ae -> Cleaned with backup
C:\WINDOWS\system32\4onr8dkxxnrtk.dll -> Trojan.Krepper.ae -> Cleaned with backup
C:\WINDOWS\system32\97lc9khk1r9rs.dll -> Trojan.Krepper.ae -> Cleaned with backup
C:\WINDOWS\system32\htmdeng.exe -> Spyware.Aureate -> Cleaned with backup
C:\WINDOWS\system32\ipcclient.dll -> Spyware.Aureate -> Cleaned with backup
C:\WINDOWS\system32\m95n8plnds4.dll -> Trojan.Krepper.ae -> Cleaned with backup
C:\WINDOWS\system32\msxmidi.exe -> Backdoor.Generic -> Cleaned with backup
C:\WINDOWS\system32\pnu050hzzjtw.dll -> TrojanDownloader.Small.rr -> Cleaned with backup
C:\WINDOWS\system32\svhost.exe -> Backdoor.Generic -> Cleaned with backup
C:\WINDOWS\system32\v3e2zsj5i5u3p0.dll -> TrojanDownloader.Small.rr -> Cleaned with backup
C:\WINDOWS\system32\vbsys2.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\wldr.dll -> TrojanDownloader.Agent.kf -> Cleaned with backup
C:\WINDOWS\system32\xrhnfrn5vnc.dll -> Trojan.Krepper.ae -> Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__spoolsrv32.exe -> Spyware.FindSpy.e -> Cleaned with backup
C:\winloadhh.dll -> TrojanDownloader.Small.asy -> Cleaned with backup


::Report End

#5 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:03:34 AM

Posted 17 June 2005 - 07:24 PM

We're making progress. Hopefully just a few more programs to run and you'll be clean.

Next, please run full scans with Ad-Aware SE and Spybot-S&D as follows:
(If you already have Ad-Aware SE 1.06 and Spybot 1.4 installed, you can skip the installation steps. If you don't, please uninstall your old versions and install the new ones from the links below.)

Full Ad-Aware Scan
Please download Ad-Aware SE from here
Install Ad-Aware and run it. In the bottom-right hand corner, click "Check for updates now". Click "Connect" to download the newest reference file.

Now we will configure Ad-Aware to perform a full scan. In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom right side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects. Then please restart your computer.


Spybot Full Scan
Next, please download Spybot-S&D from here
Install Spybot-S&D and run it. Select "Search for updates" and then select all available updates. Click on the drop-down box in the top center to choose a download location nearest to you. Then click "Download updates". When all updates have downloaded, close Spybot-S&D, and then run it again. Click on "Check for problems". When the scan has finished, select any entries listed in red and click "Fix selected problems". Then please restart your computer again.

#6 gooner

gooner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 18 June 2005 - 02:08 PM

hi vic my computer is working great at the moment thanks to you but there is a problem now with windows media player when i try to start it i get the message an internal application error has occured can you help with this problem?

#7 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:03:34 AM

Posted 18 June 2005 - 02:19 PM

Could you send me another log, please? Also, what version of Windows Media Player do you have, and is there an error code?

Edited by viccy, 18 June 2005 - 02:20 PM.


#8 gooner

gooner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 19 June 2005 - 05:31 PM

hi viccy my computer is like its brand new. i got a fix for wm player at microsoft.com which involved reinstalling some missing files using these commands,

RESOLUTION
To resolve this issue, use the following methods in the order that they are presented.

Method 1: Reregister Jscript.dll and Vbscript.dll

1. Click Start, and then click Run.
2. In the Open box, type regsvr32 jscript.dll, and then click OK.
3. Click OK.
4. Click Start, and then click Run.
5. In the Open box, type regsvr32 vbscript.dll, and then click OK.
6. Click OK.

that got me wm player going again


here is my latest log file and once again thank you for your help which has been 100% correct and easy to follow and made my computer run properly

:thumbsup:
Logfile of HijackThis v1.99.1
Scan saved at 23:21:38, on 19/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\keith\My Documents\drivers1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O2 - BHO: IEHlprObj Class - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\GoZilla\GoIEHlp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...512/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A8605B6-6667-4AA9-B7EF-C81218303ABD}: NameServer = 194.168.4.100 194.168.8.100
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)

#9 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:03:34 AM

Posted 19 June 2005 - 05:56 PM

I'm happy to hear that your computer is working better and that your experience in this forum was positive. There is just one more entry we need to get rid of. Gozilla can cause some problems.

I would recommend that you run Hijack This and put a checkmark next to the following entry.

O2 - BHO: IEHlprObj Class - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\GoZilla\GoIEHlp.dll

Close all other windows and browsers and click "fix checked". Restart your computer.

In order to be better protected in the future, I recommend the following programs:

SpywareBlaster protects against bad ActiveX.
http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard stops Spyware from being installed.
http://www.javacoolsoftware.com/spywareguard.html


IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
https://netfiles.uiuc.edu/ehowes/www/resource.htm

All three are very small free programs that you run once, and then just occasionally to check for updates.

Also see How did I get infected?

Finally, it is best to update your system regularly, to ensure you have the latest security patches from Microsoft. Update by clicking http://v4.windowsupdate.microsoft.com/ ]here
and following the prompts.

#10 gooner

gooner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 20 June 2005 - 08:33 AM

thanks viccy i will do as you say. I hope you oont mind but with any problem i get in the future you will be hearing from me.
thanks once again x

#11 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:03:34 AM

Posted 20 June 2005 - 10:41 AM

Glad we were able to help you. You might want to submit one more log, so I can just give it a quick look before we close the topic.

#12 gooner

gooner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 21 June 2005 - 03:20 PM

hi vicci just done another hijackthis log as you requested i have installed ewido security suite do i still need to install the spyware blaster and spyware guared you suggested?

Logfile of HijackThis v1.99.1
Scan saved at 21:13:05, on 21/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\keith\My Documents\drivers1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...512/mcfscan.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)

#13 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:03:34 AM

Posted 21 June 2005 - 03:29 PM

Yes, I recommend both programs. They are designed to keep you from opening a URL that is known to infect you with spyware. Prevention is very important when you're talking about spyware and viruses.

#14 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:03:34 AM

Posted 22 June 2005 - 08:39 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Edited by viccy, 06 July 2005 - 07:56 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users