Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Does This Look Infected?

  • This topic is locked This topic is locked
3 replies to this topic

#1 Nibblets


  • Members
  • 1 posts
  • Local time:11:22 AM

Posted 23 November 2005 - 07:46 PM

Sorry that I could not be more descriptive in my message title, but I don't know if my problem is virus related... but it seems to have the symptoms. The problem started a few days ago, when my computer began to randomly lock up: my mouse stops moving, nothing happens, I have to turn off my computer before everything starts moving again. But it keeps happening, sometimes right away... sometimes within hours. I was thinking that it might also have to do with my wireless connetion somehow, but I have no idea... I'm completely lost and looking for a helping hand.
Anyways, here is my log:


Logfile of HijackThis v1.99.1
Scan saved at 7:34:56 PM, on 23/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Andrew Strapp\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram Toolbar\tbu04383\cram1.dll
O2 - BHO: XBTB00429 - {1395A06F-EEA0-4445-BA0C-E8B56B48E244} - C:\PROGRA~1\CRAMTO~1\tbu04383\cram1.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)


#2 jboz24


  • Members
  • 37 posts
  • Local time:12:22 PM

Posted 23 November 2005 - 09:48 PM

nibblets -- I'm taking a look now at your post. I'll post back in a little bit with some instructions for you.


#3 jboz24


  • Members
  • 37 posts
  • Local time:12:22 PM

Posted 23 November 2005 - 10:08 PM

Your log doesn't look too bad. Let's get rid of the CramToolbar infection and then run some scans. Please let me know if you run into any problems...


I. Add/Remove Programs

Please open your Control Panel by clicking "Start > Settings > Control Panel" or "Start > Control Panel" depending on your setup.
Find the icon "Add or Remove Programs" and double-click on it.
Under the list of 'Currently Installed Programs', please locate the following items:

Cram Toolbar

Click on each item to highlight the row. Please click the button with "Remove" on it to begin the uninstaller.
Follow the onscreen prompts to completely uninstall the program.

II. Please Launch HijackThis and place a check mark next to the following items that still exist:

R3 - URLSearchHook: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram Toolbar\tbu04383\cram1.dll
O2 - BHO: XBTB00429 - {1395A06F-EEA0-4445-BA0C-E8B56B48E244} - C:\PROGRA~1\CRAMTO~1\tbu04383\cram1.dll

Please close all open windows except for HijackThis and then click "Fix Checked".

III. Please delete the following folder listed in RED if it still exists

C:\Program Files\Cram Toolbar

IV. Download CCleaner

CCleaner is a tool for cleaning temporary files stored on your computer which may help improve performance. Please be careful using CCleaner and use only the functions listed below. Please download CCleaner from

Once installed, run CCleaner and click on the "Windows" tab.
Please Check the following:

Under Internet Explorer:
Temporary Internet Files
Recently Typed URLs
Delete Index.dat files

Under System:
Empty Recycle Bin
Temporary Files
Memory Dumps
Chkdsk File Fragments
Old Prefetch Data

Next: click the "Options" button (top right) and then click the "Settings" tab
Uncheck: "Only delete files older than 48 hrs." and click OK

Then click the "Run Cleaner" button (bottom right). You can exit when it is done.

V. Ad-Aware Scan

:!: If you have any previous versions of Ad-Aware, please click "Start > Settings > Control Panel > Add or Remove Programs". Find "Ad-Aware SE Personal", click on it, and then click "Remove".

Download and install Ad-Aware SE version 1.06 from http://www.download.com/3000-2144-10045910...page&tag=button
Once the installation completes, uncheck all three items (Perform System Scan, Update Definition, and Help) and click finish.
Close ALL other windows and launch Ad-Aware SE.
If Ad-Aware does not prompt you to update the reference files, click on the "Earth" icon (top right) and retrieve the latest Reference file.
Once the update is finished click on the 'Gear' icon (second from the left at the top of the window) to access the preferences/settings window.

This will take a few minutes to initially set up but you should only need to do this once.

Please make sure the following have a GREEN checkmark next to them:

* Automatically save log-file
* Automatically quarantine objects prior to removal
* Safe Mode (always request confirmation)
* Prompt to update outdated definitions

* Scan Within Archives
* Scan Active Processes
* Scan Registry
* Deep Scan Registry
* Scan my IE favorites for banned URL’s
* Scan my Hosts file

* Move deleted files to recycle bin
* include addtional object information

Tweak - Scanning Engine:
* Unload recognized processes during scanning
* Scan registry for all users instead of current user only

Tweak - Cleaning Engine:
* Always try to unload modules before deletion
* During removal, unload Explorer and IE if necessary
* Let Windows remove files in use at next reboot
* Delete quarantined objects after restoring

Tweak - Log Files:
* Include basic Ad-aware SE settings in logfile
* Include additional Ad-aware SE settings in logfile

Please make sure the following have a RED 'X' next to them:

* include negligible objects information
* include environment information
* Don't log streams smaller than 0 bytes
* Don't log ADS with the following names: 'CA_INOCULATEIT'

Tweak - Scanning Engine:
* Obtain command line of scanned processes
* Run scan as background process (Low CPU usage)
* Use permanent archive caching

Tweak - Cleaning Engine:
* Create log file for removal operations
* Disable manual quarantine if auto-quarantine is selected

Tweak - Log Files:
* Include Module list in logfile

Now that your settings are correct, click on 'Proceed' to save the settings.
Click 'Start' and then 'Perform Full System Scan'.
DESELECT 'Search for negligible risk entries', as negligible risk entries (MRU's) are not considered to be a threat.
Click 'Next' and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
Save the log file when it asks and then click 'Finish'
Reboot your computer

VI. Spybot Search & Destroy version 1.4.0

:!: If you have any previous versions of Spybot Search and Destroy, please click "Start > Settings > Control Panel > Add or Remove Programs". Find "Spybot -- Search & Destroy", click on it, and then click "Remove".

Download and launch the install file of Spybot Search and Destroy version 1.4.0 from http://fileforum.betanews.com/download/Spy...oy/1043809773/1 -- Accept the Default Settings.
Close ALL windows except Spybot Search and Destroy.
In the Menu Bar, click 'Mode' and select 'Default mode'.
Click the button 'Search for Updates', check off any items it finds, and then click 'Download Updates'.
Click the 'Search and Destroy' icon on the left and then the button 'Check for Problems'
When Spybot is complete, it will be showing Red, Green, and Black entries. Make certain there is a check mark beside all of the RED entries ONLY.
Choose 'Fix Selected Problems' and allow Spybot to fix the RED entries.
Reboot the computer.

VII. Repost

Please repost with a new HijackThis log.

#4 jboz24


  • Members
  • 37 posts
  • Local time:12:22 PM

Posted 12 December 2005 - 10:05 AM

Unfortunately, we have not heard a response from you for some time and will have to close this thread.

If you would like to re-open this topic, please send a PM to a moderator with the address of this thread.

This applies only to the original topic starter. Everyone else please begin a New Topic.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users