Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird Things Going On!


  • Please log in to reply
1 reply to this topic

#1 MSSKRS

MSSKRS

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 21 January 2006 - 09:39 AM

Yesterday i came to my PC booted it up and as it loaded the desktop Adaware SE 1.5 came up with loads of registry errors saying things were being changed. I clicked deny on them all....slowly but surely over the next few minutes all my .exe files changed to .lnk!

I've managed to sort this by d/ling reg fixes off the net and deleting adaware and installing 1.6 SE.

Now my network connections don't refresh and the icons do not appear in the right hand corner. They are not hidden as i don't use this function.

I've been through all the windows support and nothing, i've done virus checks, spayware search through adaware, Microsoft Antispyware and sbybot. I have SpywareBlaster installed and on startup everything is upto date....It's horrible i alwasy felt safe, i've followed every instruction on this site since i joined and everything has been ok till now.....any help or advice you can offer would be fantastic! :thumbsup:

Heres my Hijack log if it helps

Logfile of HijackThis v1.99.1
Scan saved at 14:29:10, on 21/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Documents and Settings\Bob Smith\Desktop\Ad-Watch.exe
C:\Program Files\FreeMeter\FreeMeter.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Bob Smith\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\Documents and Settings\Bob Smith\Desktop\Ad-Watch.exe"
O4 - Startup: FreeMeter.lnk = C:\Program Files\FreeMeter\FreeMeter.exe
O4 - Startup: Microsoft AntiSpyware.lnk = C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
O4 - Startup: Shortcut to ashDisp.exe.lnk = C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - Startup: Shortcut to kpf4ss.exe.lnk = C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://www.creative.com/su/ocx/15012/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1117204929421
O16 - DPF: {7C405D1B-4007-11D3-8B8E-00104B3E656F} (SBCRecorderPlayer Control) - https://www.vodafone.net/VoiceRecorder/SBCRP.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative.com/su/ocx/15012/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CDDCD77-A58A-4A21-A5A8-73839796D6F3}: NameServer = 194.72.0.98 194.74.65.68
O17 - HKLM\System\CS2\Services\Tcpip\..\{2CDDCD77-A58A-4A21-A5A8-73839796D6F3}: NameServer = 194.72.0.98 194.74.65.68
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:07:05 PM

Posted 22 January 2006 - 06:15 AM

Hi :thumbsup:

Please disable TeaTimer during Hijackthis Cleanup

Disable Microsoft AntiSpyware Real-time Protection because it may interfere with the fix.

Disable Ad-Watch because it may interfere with the fix.

You should keep only one Antispyware program. Uninstall the others.


Download System Security Suite here:
System Security Suite Download. Unzip it to your desktop. Install the program. Don't use it yet.


Run HijackThis!, press Scan, and put a checkmark next to all these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -


Close all other windows and browsers, and press the Fix Checked button.


With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT your machine.

Your Sun Java version is vulnerable. !! First uninstall Sun Java from Add\Remove Programs. !!
Then install the latest version: http://www.java.com/en/download/manual.jsp

Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users