Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Altnet


  • This topic is locked This topic is locked
17 replies to this topic

#1 pjusken

pjusken

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 25 January 2005 - 09:07 AM

Hi
My PC have been infected with Altnet and also the Searchweb toolbar. I have now tried several software for find and removing this type of infections (Adaware, SpyScan, Spyware Doctor, CVShredder and SpySubtract) everyone of this tools report the following instanse in registry:

HKLM\Software\Altnet
HKLM\Software\Altnet\Dashboard

but none of them are able to remove this. I have also tried to removed this manually, but are not allowed to do this.

None of the tools are reporting anything about Searchweb toolbar, but every time I start IE, Searchweb toolbar do take controll over my IE. Has Searchweb somthing to do with the Altnet problem ?

Anyway, a copy from the latest HJT-log is enclosed, hopefully somebody can help me with this problems.?

Thank you in advance


Logfile of HijackThis v1.99.0
Scan saved at 14:44:13, on 25.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Spyware Doctor\swdoctor.exe
C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\GUIMgr.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\OdHost.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
c:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\hjt\HijackThis.exe
C:\DOCUME~1\CAB\LOKALE~1\Temp\Midlertidig mappe 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.radkncluevjst.com/DaeelIQ9C3LBn...3Vxb4Tbk9lP.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zlvpmvtmoknuorqtorisnwt.com/Dae...Y85FxSFYjM.html
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programfiler\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [DATA SETTINGS] C:\DOCUME~1\CAB\PROGRA~1\16SOFT~1\procjoy.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WIRELESS NETWORKER 802.11ag Utility.lnk = C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\GUIMgr.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service - Unknown - C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Panda IManager Service - Panda Software Internacional - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:34 AM

Posted 25 January 2005 - 05:31 PM

Hi :thumbsup:

You are running HijackThis from a temp folder. You will need to move hijackthis.exe to a permanent folder, such as c:\hjt . This has to be done as HijackThis creates backups when you fix items. These backups could easily get deleted in a temporary folder.

First create a new folder:
A. Click My Computer icon on your desktop
B. Click C: drive
C. Click the File menu --> New --> Folder, a folder "New folder" will be created.
D. Rename it HJT

Unzip hijackthis.exe to the c:\HJT folder.



Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.radkncluevjst.com/DaeelIQ9C3LBn...3Vxb4Tbk9lP.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zlvpmvtmoknuorqtorisnwt.com/Dae...Y85FxSFYjM.html

O4 - HKCU\..\Run: [DATA SETTINGS] C:\DOCUME~1\CAB\PROGRA~1\16SOFT~1\procjoy.exe

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab


Close all other windows and browsers, and press the Fix Checked button.

Search for this folder and delete it:
16SOFT~1 <-- this folder, foldername starts with 16SOFT

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 pjusken

pjusken
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 26 January 2005 - 01:35 PM

Hi :flowers:

You are running HijackThis from a temp folder. You will need to move hijackthis.exe to a permanent folder, such as c:\hjt . This has to be done as HijackThis creates backups when you fix items. These backups could easily get deleted in a temporary folder.

First create a new folder:
A. Click My Computer icon on your desktop
B. Click C: drive
C. Click the File menu --> New --> Folder, a folder "New folder" will be created.
D. Rename it HJT

Unzip hijackthis.exe to the c:\HJT folder.



Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.radkncluevjst.com/DaeelIQ9C3LBn...3Vxb4Tbk9lP.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zlvpmvtmoknuorqtorisnwt.com/Dae...Y85FxSFYjM.html

O4 - HKCU\..\Run: [DATA SETTINGS] C:\DOCUME~1\CAB\PROGRA~1\16SOFT~1\procjoy.exe

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab


Close all other windows and browsers, and press the Fix Checked button.

Search for this folder and delete it:
16SOFT~1 <-- this folder, foldername starts with 16SOFT

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

Run HijackThis! again and post a new log please.

Hi :thumbsup:

I have now done the things you suggested and it seems like I'm rid of the problem with Searchweb, but ScanSpyware still report the Altnet regkey. I dont know if this is any problem if it just are in the regristry witout starting any programs ?

enclosed log from ScanSpyware

Files recognized:
=================
__________________________________________________
Registry keys recognized:
=========================
[BrilliantDigital - BDE]
HKEY_LOCAL_MACHINE\software\altnet

[Altnet]
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet\Dashboard

[Altnet]
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet
________________________________________________
Registry values recognized:
===========================
________________________________________________
Cookies recognized:
==================

[Tracking Cookies]
c:\documents and settings\cab\cookies\cab@cgi-bin[1].txt


Here is also the HJT-log after your recommended clean up:

Logfile of HijackThis v1.99.0
Scan saved at 19:09:24, on 26.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Spyware Doctor\swdoctor.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\GUIMgr.exe
C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\OdHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\hjt\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programfiler\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WIRELESS NETWORKER 802.11ag Utility.lnk = C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\GUIMgr.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service - Unknown - C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Panda IManager Service - Panda Software Internacional - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe


Hope you have some mor suggestion. Thank you so far.

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:34 AM

Posted 26 January 2005 - 02:52 PM

but ScanSpyware still report the Altnet regkey

I don't see Altnet installed on your computer. You can delete the registry keys manually, but these are harmless !!

It is strongly recommended that you back up the registry before making any changes to it.
Backing up the Windows registry

Go to Start --> Run, and type regedit in the Open box, then click OK

Navigate to this key and delete it:

HKEY_LOCAL_MACHINE\SOFTWARE\Altnet <-- this key


Log looks clean...great job ! :thumbsup:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

How did I get infected ? With steps so it does not happen again !

Glad I was able to help.

Edited by Daisuke, 26 January 2005 - 02:53 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 pjusken

pjusken
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 27 January 2005 - 04:14 PM

Hi again :thumbsup:

Actually I'm sorry to be back after all your help. But since you checked my last HJT and found it OK. I have wisited your How to avoid attacks page, and done the recommended settings in my IE. I have also downloaded and installed the Spybot Search and Destroy, but the SearchWeb toolbar are back in my IE, and I am now denying things that SSD warn me about approx every minute. There are, as far as I can see, somthing wrong in the HJT-log, hopefully you can take a look and check this. Can ibe possible that this PC are so infected with something that I have to format the disk and re-install everyting?

Here is the HJT-log
Logfile of HijackThis v1.99.0
Scan saved at 22:05:11, on 27.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\apvxdwin.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\GUIMgr.exe
C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\OdHost.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iecivppcvem.com/DaeelIQ9C3LK5KI9IQW...Y85FxSFYjM.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WIRELESS NETWORKER 802.11ag Utility.lnk = C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\GUIMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service - Unknown - C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Panda IManager Service - Panda Software Internacional - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe

#6 pjusken

pjusken
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 28 January 2005 - 10:46 AM

Hi again Daisuke.

Iwas wondering, sinc my computer have user, administrator and guest, besides my self, is it a possibility that some of the other two users are infected with something that is 'causing the problem to return?

#7 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:34 AM

Posted 28 January 2005 - 01:16 PM

Iwas wondering, sinc my computer have user, administrator and guest, besides my self, is it a possibility that some of the other two users are infected with something that is 'causing the problem to return?

If you are using these two accounts, yes.

Run HijackThis!, press Scan, and put a check mark next to all these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iecivppcvem.com/DaeelIQ9C3LK5KI9IQW...Y85FxSFYjM.html

Close all other windows and browsers, and press the Fix Checked button.

REBOOT and post a new log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#8 pjusken

pjusken
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 29 January 2005 - 02:50 AM

Hi Daisuke

I have now used the following programs to clean up the user account and the administrator account, AdAware, ScanSpyware, SpyWare Search and Destroy and also clean up both accounts with SS3. The guest account is also clean-up and then deactivated. When I run HJT it seems to OK, but running the mentioned programs, they still find an RegKey called Altnet but they do not remove this one. When I run RegEdit I can also find the Altnet, but are not allowed to delete this directory from the Registry. Ther are now values in this key, so probably it want do any harm.
If I still are having problems. is it a possibility that I have something deeply hidden that start up with some other processes or services that the various programs do not find ??

Anyway, here are the two HJT-logs from the two users:

User accoutn with admin-rights:

Logfile of HijackThis v1.99.0
Scan saved at 01:11:16, on 29.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hjt\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WIRELESS NETWORKER 802.11ag Utility.lnk = C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\GUIMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service - Unknown - C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Panda IManager Service - Panda Software Internacional - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe

And here is the admin-account:

Logfile of HijackThis v1.99.0
Scan saved at 00:08:56, on 29.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.scanspyware.net/purchase.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WIRELESS NETWORKER 802.11ag Utility.lnk = C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\GUIMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service - Unknown - C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Panda IManager Service - Panda Software Internacional - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe

Hopefully you can spot something that I doesn't do

Cheers Pjusken

#9 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:34 AM

Posted 29 January 2005 - 06:20 AM

Did you run hijackthis in safemode ? Please run it in normal mode. Is you problem solved ?
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#10 pjusken

pjusken
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 29 January 2005 - 07:46 AM

Hi yes I did run iy in save mode, here is a new one in normal mode from the user account (admin rigths). It seems like there is something happening again, 'caus Spyboot Search and Destroy are now reportin that somthing is trying to do changes in the registry ever minute.

Logfile of HijackThis v1.99.0
Scan saved at 13:43:22, on 29.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\GUIMgr.exe
C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\OdHost.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\MSN Apps\Updater\01.02.3000.1001\no\msnappau.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.no/0SENONO/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.3000.1001\no\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [msnappau] "C:\Programfiler\MSN Apps\Updater\01.02.3000.1001\no\msnappau.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DATA SETTINGS] C:\DOCUME~1\CAB\PROGRA~1\16SOFT~1\procjoy.exe
O4 - Global Startup: WIRELESS NETWORKER 802.11ag Utility.lnk = C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\GUIMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service - Unknown - C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Panda IManager Service - Panda Software Internacional - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe

#11 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:34 AM

Posted 29 January 2005 - 08:03 AM

Hi :thumbsup:

Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/

O4 - HKCU\..\Run: [DATA SETTINGS] C:\DOCUME~1\CAB\PROGRA~1\16SOFT~1\procjoy.exe


Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if present:
procjoy.exe <-- this file


With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

Uninstall please Spybot Search & Destroy and post a new log.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#12 pjusken

pjusken
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 30 January 2005 - 03:00 AM

Hi Daisuke.
I have now done the latest correction on the user-account (admin-rights).
I did not find procjoy.exe, but I found and deleted a directory called 16soft.
I du beleive that I have tried this correction earlier, by the way
Why are you now instructing me to remove Spyboot S&D, when you told me to install it in an earlier replay ??
Anyway, my HJT-log is now as follows:
Logfile of HijackThis v1.99.0
Scan saved at 08:54:36, on 30.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programfiler\MSN Apps\Updater\01.02.3000.1001\no\msnappau.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\GUIMgr.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\OdHost.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programfiler\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.3000.1001\no\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.3000.1001\no\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [msnappau] "C:\Programfiler\MSN Apps\Updater\01.02.3000.1001\no\msnappau.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WIRELESS NETWORKER 802.11ag Utility.lnk = C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\GUIMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service - Unknown - C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Panda IManager Service - Panda Software Internacional - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe

#13 pjusken

pjusken
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 30 January 2005 - 03:08 AM

Hi again Daisuke

It is now 5 minutes since my last repaly to you, and the only thing I have done since I did the corrections you told me to do, is to log on to youe internetsite and post a reply with HTJ-log. I can now inform you that Searchweb toolbar and everytihing else is back, so it seems that the corrections did not help. I ahve enclosed a HTJ-log from a scan that was run 5 minutes after the previous one.
I ask you once again is it possibel that there is a problem with some kind of startup services og something in the IE that al of this spyware removal programs does not fing ????

Latest log:
Logfile of HijackThis v1.99.0
Scan saved at 08:54:36, on 30.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programfiler\MSN Apps\Updater\01.02.3000.1001\no\msnappau.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\GUIMgr.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\OdHost.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programfiler\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.3000.1001\no\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.3000.1001\no\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [msnappau] "C:\Programfiler\MSN Apps\Updater\01.02.3000.1001\no\msnappau.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WIRELESS NETWORKER 802.11ag Utility.lnk = C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\GUIMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service - Unknown - C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Panda IManager Service - Panda Software Internacional - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe

#14 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:34 AM

Posted 30 January 2005 - 05:12 AM

Why are you now instructing me to remove Spyboot S&D, when you told me to install it in an earlier replay ??

You can install Spybot Search & Destroy when your computer is clean. Spybot Search & Destroy is interfering whit the fix. Uninstall it please if your computer is not clean.

I can now inform you that Searchweb toolbar and everytihing else is back

There is nothing suspect in your log. Is this log from your user account ? If this is not the log from your user account please post ONLY the log from the user account.

I ask you once again is it possibel that there is a problem with some kind of startup services

Do you mean Windows Services ? These services ARE VISIBLE in the hijackthis log and there is nothing wrong with them.

something in the IE that al of this spyware removal programs does not fing ????

You are talking about Searchweb toolbar. A toolbar IS VISIBLE in the hijackthis log. In your logs there is NO toolbar visible, exept MSN Toolbar.

So, uninstall Spybot Search & Destroy. REBOOT your computer and post the log from the USER account ONLY.


Download VX2Finder from this link:
http://www.downloads.subratam.org/VX2Finder.exe
Run Vx2Finder and click on the Click to find VX2.BetterInternet button.

Click the Make Log button.

Save the log some place convenient like My Documents. Include the contents of the log in your next reply here.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#15 pjusken

pjusken
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 09 February 2005 - 02:51 PM

Hello again Daisuke

I have been off-line for a while and haven't had the time to deal with this matter until now. Now that I'm back let me try to explain something funny that is happening on this computer. Both AdAware and Scan Spyware are reporting a regkey, Altnet, which is impossible to remove, this is not reported from HJT as far as I can see. AdAware is also reportin som LOP-stuff in an hidden directory. When I check in this directory it is a file with a rather suspisious name , rigth now the complet path and filename is:
C:\Documents and settings\CAB\local settings\temp\rhtnicye.exe

I am not allowed todelete this file, AdAware is reporting that this an high risk. This, or similar files seems to come back every time I reboot my computer.
By the way Scan Spyware does not report this.

Hope that you can tell me what this is. Anyway here are different logs.

First the log from HTJ and further down the log from VX2Finder:

Logfile of HijackThis v1.99.0
Scan saved at 20:22:55, on 09.02.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programfiler\MSN Apps\Updater\01.02.3000.1001\no\msnappau.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\GUIMgr.exe
C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\OdHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programfiler\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.3000.1001\no\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.3000.1001\no\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [msnappau] "C:\Programfiler\MSN Apps\Updater\01.02.3000.1001\no\msnappau.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - Global Startup: WIRELESS NETWORKER 802.11ag Utility.lnk = C:\Programfiler\Symbol\WIRELESS NETWORKER 802.11ag\GUIMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service - Unknown - C:\Programfiler\Fellesfiler\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Panda IManager Service - Panda Software Internacional - C:\Programfiler\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe


VX2Finder:
Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

Guardian Key--- :

User Agent String---
SV1


Hope that you can help me fix this, thanks in advance

Best regards, Pjusken




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users