Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack Log - Hallie


  • This topic is locked This topic is locked
9 replies to this topic

#1 Hallie

Hallie

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 16 January 2005 - 06:08 AM

Hi all! Hope somebody can help me with my problem :thumbsup:

Logfile of HijackThis v1.99.0
Scan saved at 13.38.25, on 15/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\winasp.exe
C:\WINDOWS\System32\winfirewall.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\realone.exe
C:\WINDOWS\System32\Botnet.exe
C:\WINDOWS\System32\winsystem32.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\crashes.exe
C:\WINDOWS\System32\spoolvse.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\mmups.exe
C:\WINDOWS\msexploren.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\WINDOWS\sssasasb32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\System32\vpc32.exe
C:\Documents and Settings\XP\Dati applicazioni\tihi.exe
C:\Programmi\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ShellExt\a1sc18h.EXE
C:\Documents and Settings\XP\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...ount_id=1001545
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...ount_id=1001545
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...ount_id=1001545
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\logon.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\Run: [Shell Logon] C:\logon.exe
O4 - HKLM\..\Run: [Windows System32] winsystem32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [u04C
}z[8C:\Programmi\ISTsvc\istsvc.exe] C:\WINDOWS\qyikm.exe
O4 - HKLM\..\Run: [NvCplScan] winasp.exe
O4 - HKLM\..\Run: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\Run: [lamebleep] C:\crashes.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\vlgrw.exe
O4 - HKLM\..\Run: [start extracting] spoolvse.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [mediamotor.exe] C:\WINDOWS\mmups.exe
O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\msexploren.exe /i
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvhug32.exe
O4 - HKLM\..\Run: [sssasasb32] C:\WINDOWS\sssasasb32.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] Botnet.exe
O4 - HKLM\..\RunServices: [Windows System32] winsystem32.exe
O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
O4 - HKLM\..\RunServices: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKLM\..\RunOnce: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [Windows System32] winsystem32.exe
O4 - HKCU\..\Run: [NvCplScan] winasp.exe
O4 - HKCU\..\Run: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKCU\..\Run: [start extracting] spoolvse.exe
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - HKCU\..\Run: [Csau] C:\Documents and Settings\XP\Dati applicazioni\tihi.exe
O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe
O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKCU\..\RunOnce: [Win32 Firewall Drivers] winfirewall.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYes.../bridge-c46.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD5071D4-4B4B-4402-BCAB-D12CE4F6E8BF}: NameServer = 217.141.110.203 151.99.125.1
O18 - Filter: text/html - {A46AF3BC-8FB4-402F-B925-F149EB1934A4} - C:\Documents and Settings\XP\Impostazioni locali\Dati applicazioni\microsoft\internet explorer\V0.26.dat
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Programmi\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 Hallie

Hallie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 16 January 2005 - 06:27 AM

I'm posting from my friend's pc because in mine explorer doesn't work anymore, everytime I open it I receive these errors: "res:shdoclc.dll/dsnerror.htm" "broken internet access because of LSP provider c:/windows/system32/lsp.dll missing"

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:13 AM

Posted 16 January 2005 - 08:24 AM

First let's see if we can get your connection back. Download this tool and run it.

http://www.spychecker.com/program/winsockxpfix.html


Next step is to download Stinger and run it also.

http://vil.nai.com/vil/stinger/


Let me know what Stinger finds and if you have your connection back. Then please post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 Hallie

Hallie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 16 January 2005 - 01:10 PM

Thanks! I've run the first tool and I've had my connection back for a while, now it doesn't work again. In the time I had it back I've made a scan with stinger. It found and eliminated a troyan that norton had also found.

Here's my new log

Logfile of HijackThis v1.99.0
Scan saved at 17.55.41, on 16/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\winfirewall.exe
C:\WINDOWS\System32\winasp.exe
C:\WINDOWS\System32\srcwin32.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\winsystem32.exe
C:\WINDOWS\System32\vpc32.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\realone.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spoolvse.exe
C:\crash.exe
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cock.exe
C:\Program Files\Admanager Controller\AdManCtl.exe
C:\Program Files\Admanager Controller\AdManKeep.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\XP\Desktop\HijackThis.exe

O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Windows System32] winsystem32.exe
O4 - HKLM\..\Run: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [ccApp] C:\Programmi\File comuni\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [start extracting] spoolvse.exe
O4 - HKLM\..\Run: [lamebleep] C:\crash.exe
O4 - HKLM\..\Run: [NvCplScan] winasp.exe
O4 - HKLM\..\Run: [Java Output Configuration] srcwin32.exe
O4 - HKLM\..\Run: [soft Special] cock.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\RunServices: [Windows System32] winsystem32.exe
O4 - HKLM\..\RunServices: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
O4 - HKLM\..\RunServices: [Java Output Configuration] srcwin32.exe
O4 - HKLM\..\RunServices: [soft Special] cock.exe
O4 - HKLM\..\RunOnce: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKLM\..\RunOnce: [Java Output Configuration] srcwin32.exe
O4 - HKCU\..\Run: [Windows System32] winsystem32.exe
O4 - HKCU\..\Run: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [start extracting] spoolvse.exe
O4 - HKCU\..\Run: [NvCplScan] winasp.exe
O4 - HKCU\..\Run: [Java Output Configuration] srcwin32.exe
O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe
O4 - HKCU\..\RunOnce: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKCU\..\RunOnce: [Java Output Configuration] srcwin32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD5071D4-4B4B-4402-BCAB-D12CE4F6E8BF}: NameServer = 217.141.110.203 151.99.125.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Programmi\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:13 AM

Posted 16 January 2005 - 01:28 PM

You still have several trojans showing in your log. Let's try another tool. Download and install a2.

http://www.emsisoft.com/en/software/free/

It's a free tool and a very good compliment to your Norton, but you do have to register to get the updates. Once you have registered make sure you check for updates and install them.

Before you run it go into Windows Task Manager by clicking CTRL - ALT - DELETE at the same time. Find these processes and click End Process.

winfirewall.exe
winasp.exe
srcwin32.exe
winsystem32.exe
vpc32.exe
realone.exe
spoolvse.exe
crash.exe
cock.exe


Then run a2 and let it remove everything it finds. Reboot and post a new hijackthis log.

Edited by Buckeye_Sam, 16 January 2005 - 01:29 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 Hallie

Hallie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 16 January 2005 - 02:57 PM

A2 free didn't find anything. Here's my new log

Logfile of HijackThis v1.99.0
Scan saved at 20.49.49, on 16/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Program Files\Admanager Controller\AdManCtl.exe
C:\WINDOWS\System32\spoolvse.exe
C:\WINDOWS\System32\winmedplay.exe
C:\Program Files\Admanager Controller\AdManKeep.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\XP\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.groups.yahoo.com/group/thebuffysworldofspoilers/
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Windows System32] winsystem32.exe
O4 - HKLM\..\Run: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] C:\Programmi\File comuni\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [start extracting] spoolvse.exe
O4 - HKLM\..\Run: [NvCplScan] winasp.exe
O4 - HKLM\..\Run: [Java Output Configuration] srcwin32.exe
O4 - HKLM\..\Run: [lamebleep] C:\crash.exe
O4 - HKLM\..\Run: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\RunServices: [Windows System32] winsystem32.exe
O4 - HKLM\..\RunServices: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
O4 - HKLM\..\RunServices: [Java Output Configuration] srcwin32.exe
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\RunOnce: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKLM\..\RunOnce: [Java Output Configuration] srcwin32.exe
O4 - HKCU\..\Run: [Windows System32] winsystem32.exe
O4 - HKCU\..\Run: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [NvCplScan] winasp.exe
O4 - HKCU\..\Run: [Java Output Configuration] srcwin32.exe
O4 - HKCU\..\Run: [start extracting] spoolvse.exe
O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe
O4 - HKCU\..\RunOnce: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKCU\..\RunOnce: [Java Output Configuration] srcwin32.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Programmi\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe

Edited by Hallie, 16 January 2005 - 02:59 PM.


#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:13 AM

Posted 16 January 2005 - 05:19 PM

Hmmm...that's interesting. Well, let's see what we can do for you.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O4 - HKLM\..\Run: [Windows System32] winsystem32.exe
O4 - HKLM\..\Run: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [start extracting] spoolvse.exe
O4 - HKLM\..\Run: [NvCplScan] winasp.exe
O4 - HKLM\..\Run: [Java Output Configuration] srcwin32.exe
O4 - HKLM\..\Run: [lamebleep] C:\crash.exe
O4 - HKLM\..\Run: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\RunServices: [Windows System32] winsystem32.exe
O4 - HKLM\..\RunServices: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
O4 - HKLM\..\RunServices: [Java Output Configuration] srcwin32.exe
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [Microsofts MediaScope] winmedplay.exe
O4 - HKLM\..\RunOnce: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKLM\..\RunOnce: [Java Output Configuration] srcwin32.exe
O4 - HKCU\..\Run: [Windows System32] winsystem32.exe
O4 - HKCU\..\Run: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [NvCplScan] winasp.exe
O4 - HKCU\..\Run: [Java Output Configuration] srcwin32.exe
O4 - HKCU\..\Run: [start extracting] spoolvse.exe
O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe
O4 - HKCU\..\RunOnce: [Win32 Firewall Drivers] winfirewall.exe
O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKCU\..\RunOnce: [Java Output Configuration] srcwin32.exe


Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\System32\winfirewall.exe
C:\WINDOWS\System32\winasp.exe
C:\WINDOWS\System32\srcwin32.exe
C:\WINDOWS\System32\spoolvse.exe
C:\WINDOWS\System32\winmedplay.exe
C:\WINDOWS\System32\realone.exe
C:\crash.exe
C:\WINDOWS\System32\vpc32.exe


Delete temp files

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin


Reboot your computer to go back to normal mode.


Please run these two online scans.
Make sure they are set to clean automatically:

http://housecall.trendmicro.com/

http://www.pandasoftware.com/activescan/co...n_principal.htm

If there are files that can not be removed by the scans please include that information in your next post.


Reboot once more and post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Hallie

Hallie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 17 January 2005 - 02:49 PM

Hi! the situation is so much better thanks to you, for exemple now the connection works properly.
I've done all you told me, the online antivirus couldn't eliminate these:
WORM RBOT.AFL
WORM SPYBOT.MQ
both in the system 32 folder.

Also, Norton keeps eliminating this W32.KORGO.V but it keeps reforming.

Finally I've noticed these ads programs that keep reforming even if I delete them:
Ad Manager Controller
Search relevancy
Shopathomeselect Agent

Here's my new log
Logfile of HijackThis v1.99.0
Scan saved at 20.33.35, on 17/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wmpa36.exe
C:\Program Files\Admanager Controller\AdManCtl.exe
C:\Program Files\Admanager Controller\AdManKeep.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\XP\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] C:\Programmi\File comuni\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Windows Media Player 3.6] wmpa36.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [start extracting] spoolvse.exe
O4 - HKLM\..\RunServices: [Windows Media Player 3.6] wmpa36.exe
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKCU\..\Run: [start extracting] spoolvse.exe
O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Programmi\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Spooler di stampa - Unknown - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:13 AM

Posted 17 January 2005 - 03:08 PM

Showing improvement, good! Let's go another round.

Download Ad-aware SE from: http://www.majorgeeks.com/download506.html

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.



Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O4 - HKLM\..\Run: [Windows Media Player 3.6] wmpa36.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [start extracting] spoolvse.exe
O4 - HKLM\..\RunServices: [Windows Media Player 3.6] wmpa36.exe
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKCU\..\Run: [start extracting] spoolvse.exe
O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe


Reboot your computer into Safe Mode


Run a full scan with Adaware. Let it remove everything that it finds.


Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\System32\wmpa36.exe
C:\WINDOWS\System32\spoolvse.exe
C:\Program Files\Admanager Controller <- this folder

Reboot your computer to go back to normal mode and post a new log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:13 AM

Posted 12 February 2005 - 06:14 PM

This topic has been closed due to a lack of response. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users