View Full Version : Norton Antivirus 2004 Auto Bein Disabled; Win Xp.
gregster007
08-02-2004, 01:06 PM
Afternoon all hope some of you might be able to shed some light on theses problems I am having.
After I log into my windows xp machine I get two messages appearing (not sure if they are related though). This only starting happening about 2 days ago and I haven’t installed anything knew etc... just not sure what is happening.
First is the following:
----
Application popup: iexplore.exe - Bad Image :
The application or DLL C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rva1.tmp is not a valid Windows image. Please check this against your installation diskette.
----
NB: the name of the temp file can be anything just a few letters then a number.
I can just click on OK and all is fine and can continue working. I have tried deleting the file it mentions but every time I log in again it just recreates it and get the same error.
Second which is more serious; the following appears after a login within a command prompt:
----
System error 1060 has occurred.
The specified service does not exist as an installed service.
System error 1060 has occurred.
The specified service does not exist as an installed service.
Process ### (didn’t get the digits) NTPROTECT has been killed.
Process ### (didn’t get the digits) #### (didn’t get this either) has been killed.
----
This screen appears then automatically disappears after it has finished running.
Both are relating to my Antivirus and when this happens my AV is stopped and can’t be restated even by re-opening AV and enabling just nothing happens.
I can just close the command prompt before it finishes loading so the AV is running but as you would imagine it becomes a little tedious.
Any help would be much appreciated as I don’t really know what is happening and have tried Technet and also just surfing about trying to find an answer but to no avail.
Spec:
Windows XP, up-to-date via windows update.
IE V.6
Norton Antivirus 2004
iMartin
08-02-2004, 01:23 PM
First thing, uninstall that piece 'o :shit: Norton, and download Kaspersky (ftp://downloads-us1.kaspersky-labs.com/trial/registered/2T17J48017F63KM1T941/kav5.0trial_personalen.exe). That will make a world of difference. (PM me for a crack)
peat moss
08-02-2004, 01:31 PM
Try a spyware remover?
http://www.safer-networking.org/en/download/index.html
iMartin
08-02-2004, 01:35 PM
If it's spyware, I'd use SpySweeper. SpyBot hardly finds anything nowdays.
!!!!~~~W0OT, OMFG!! 1000TH POST~~~!!!!
Chewie
08-02-2004, 02:43 PM
Originally posted by iMartin@2 August 2004 - 13:24
First thing, uninstall that piece 'o :shit: Norton, and download Kaspersky (ftp://downloads-us1.kaspersky-labs.com/trial/registered/2T17J48017F63KM1T941/kav5.0trial_personalen.exe).
No, the first thing should be to perform an online virus-check.
Next, download, install and update the latest versions of Spybot, Adaware & HijackThis.
Then scan and clean with Spybot and Adaware.
Lastly, run HijackThis, perform a scan and post the resulting log here.
Personally, I don't think NAV is :shit: :) - apart from the fact that my customers that now use it don't phone me anywhere near as often as they used to. :(
firefox
08-02-2004, 08:46 PM
Originally posted by Chewie UK+2 August 2004 - 08:44--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Chewie UK @ 2 August 2004 - 08:44)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin-iMartin@2 August 2004 - 13:24
First thing, uninstall that piece 'o :shit: Norton, and download Kaspersky (ftp://downloads-us1.kaspersky-labs.com/trial/registered/2T17J48017F63KM1T941/kav5.0trial_personalen.exe).
No, the first thing should be to perform an online virus-check.
Next, download, install and update the latest versions of Spybot, Adaware & HijackThis.
Then scan and clean with Spybot and Adaware.
Lastly, run HijackThis, perform a scan and post the resulting log here.
Personally, I don't think NAV is :shit: :) - apart from the fact that my customers that now use it don't phone me anywhere near as often as they used to. :( [/b][/quote]
It has to be a virus on your computer do what Chewie UK said first. Norton is OK but I prefer the corp edition.
gregster007
08-03-2004, 12:46 PM
Hi all,
Thanks for all the tips etc..
I have done an online scan and no viruses were found so it’s not a virus problem. I have also scanned my machine using Spybot, Adware etc.. all to no avail, still getting both of the errors as first described.
Any further help would be much appreciated as at the moment I am stumped.
Cheers
PS Below is log from HiJack this if anyone can help with this:
Logfile of HijackThis v1.97.7
Scan saved at 13:46:25, on 03/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\planetscott.ca\PopupBlock\PopupBlock.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\WINDOWS\System32\iexplore.exe
C:\winnt\system32\drivers\etc\csrss.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\winnt\system32\drivers\etc\lsass.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\iexplore.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\My Download Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.30.112.1:8080
O1 - Hosts: 66.159.20.52 www1.ndhosting.com
O1 - Hosts: 66.159.20.52 www3.ndhosting.com
O1 - Hosts: 66.159.20.52 www2.ndhosting.com
O1 - Hosts: 66.159.20.52 www.ndhosting.com
O1 - Hosts: 66.159.20.52 www.kinghost.com
O1 - Hosts: 66.159.20.52 kinghost.com
O1 - Hosts: 66.159.20.52 www1.kinghost.com
O1 - Hosts: 66.159.20.52 www2.kinghost.com
O1 - Hosts: 66.159.20.52 www3.kinghost.com
O1 - Hosts: 66.159.20.52 www4.kinghost.com
O1 - Hosts: 66.159.20.52 www5.kinghost.com
O1 - Hosts: 66.159.20.52 www6.kinghost.com
O1 - Hosts: 66.159.20.52 www7.kinghost.com
O1 - Hosts: 66.159.20.52 www8.kinghost.com
O1 - Hosts: 66.159.20.52 www9.kinghost.com
O1 - Hosts: 66.159.20.52 www10.kinghost.com
O1 - Hosts: 66.159.20.52 www.smutserver.com
O1 - Hosts: 66.159.20.52 smutserver.com
O1 - Hosts: 66.159.20.52 www1.smutserver.com
O1 - Hosts: 66.159.20.52 www2.smutserver.com
O1 - Hosts: 66.159.20.52 www16.smutserver.com
O1 - Hosts: 66.159.20.52 www3.smutserver.com
O1 - Hosts: 66.159.20.52 www4.smutserver.com
O1 - Hosts: 66.159.20.52 www5.smutserver.com
O1 - Hosts: 66.159.20.52 www6.smutserver.com
O1 - Hosts: 66.159.20.52 www7.smutserver.com
O1 - Hosts: 66.159.20.52 www8.smutserver.com
O1 - Hosts: 66.159.20.52 www9.smutserver.com
O1 - Hosts: 66.159.20.52 www10.smutserver.com
O1 - Hosts: 66.159.20.52 www11.smutserver.com
O1 - Hosts: 66.159.20.52 www12.smutserver
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\planetscott.ca\PopupBlock\PBHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [PopupBlock] C:\Program Files\planetscott.ca\PopupBlock\PopupBlock.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [HP Update 4300C] C:\sj657\hpupdate.exe 4300C
O4 - HKLM\..\Run: [windows update] iexplore.exe
O4 - HKLM\..\Run: [AAS] c:\winnt\system32\drivers\etc\check.bat
O4 - HKLM\..\Run: [csrss service] c:\winnt\system32\drivers\etc\csrss.exe
O4 - HKLM\..\Run: [secure] c:\winnt\system32\drivers\etc\secure.exe
O4 - HKLM\..\Run: [lsass service] c:\winnt\system32\drivers\etc\hidden32.exe c:\winnt\system32\drivers\etc\lsass.exe c:\winnt\system32\drivers\etc\ir.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\RunServices: [windows update] iexplore.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [windows update] iexplore.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet-5.8.1.28/f...l-ob-assets.cab (http://freecell.pogo.com/applet-5.8.1.28/freecell/freecell-ob-assets.cab)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab (http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38201.177974537 (http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38201.177974537)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab)
1)if u have NAV2004 pro then u didnt crack it well or used crack on diffrent version
or
2)uve efficted with thoes kinda of viruses that shutdown's NAV
gregster007
08-03-2004, 05:00 PM
Originally posted by bawa@Klite_user@3 August 2004 - 16:06
1)if u have NAV2004 pro then u didnt crack it well or used crack on diffrent version
or
2)uve efficted with thoes kinda of viruses that shutdown's NAV
1/ Cracked it fine and has been working fine for over 2 months until suddenly this started happening.
2/ I agree i have a virus but i have scanned and scanned and haven't found anything on my machine.
Originally posted by gregster007+3 August 2004 - 21:01--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (gregster007 @ 3 August 2004 - 21:01)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin-bawa@Klite_user@3 August 2004 - 16:06
1)if u have NAV2004 pro then u didnt crack it well or used crack on diffrent version
or
2)uve efficted with thoes kinda of viruses that shutdown's NAV
1/ Cracked it fine and has been working fine for over 2 months until suddenly this started happening.
2/ I agree i have a virus but i have scanned and scanned and haven't found anything on my machine. [/b][/quote]
u cant find it i think so, it efficts a NAV file and it just looks like the orginal file.
tell me do u get any error when u try to enable auto protect.
try to dissconnect from internet then run NAV, mybe its NAV Anti Fake key scams which used to bug every1 before perfict cracks were released.
gregster007
08-03-2004, 05:32 PM
Originally posted by bawa@Klite_user+3 August 2004 - 17:10--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (bawa@Klite_user @ 3 August 2004 - 17:10)</td></tr><tr><td id='QUOTE'>
Originally posted by gregster007@3 August 2004 - 21:01
<!--QuoteBegin-bawa@Klite_user@3 August 2004 - 16:06
1)if u have NAV2004 pro then u didnt crack it well or used crack on diffrent version
or
2)uve efficted with thoes kinda of viruses that shutdown's NAV
1/ Cracked it fine and has been working fine for over 2 months until suddenly this started happening.
2/ I agree i have a virus but i have scanned and scanned and haven't found anything on my machine.
u cant find it i think so, it efficts a NAV file and it just looks like the orginal file.
tell me do u get any error when u try to enable auto protect.
try to dissconnect from internet then run NAV, mybe its NAV Anti Fake key scams which used to bug every1 before perfict cracks were released. [/b][/quote]
If I let the command screen run and let it disable NAV when i try to re-enable autoprotect nothing happens; its like clicking on the button to re-enable is just dud.
I have tried re-enabling while not on internet to no avail, also have even re-installed NAV (making sure all files have been deleted before installing) and getting same problem.
I'm not really sure what is happening i will do some more surfing and see if i can come up with anything.
iMartin
08-03-2004, 05:46 PM
Uninstall Norton, and get Kaspersky. :frusty:
dopey
08-03-2004, 05:47 PM
was the virus scan able to clean it? if it was, please reboot and post a new hijack this log.
edit: I would not recommend installing an antivirus program on an already infected machine. but once he gets clean, i tend to agree with you. :)
gregster007
08-03-2004, 05:58 PM
Originally posted by dopey@3 August 2004 - 17:48
was the virus scan able to clean it? if it was, please reboot and post a new hijack this log.
edit: I would not recommend installing an antivirus program on an already infected machine. but once he gets clean, i tend to agree with you. :)
I ran an online virus scan succesfully but it did not find any virus on my machine, so it was clean.
Even if i install a new AV software this still won't change the fact that i still have both of these problems upon startup.
New Hijack this log below, dont know if this will help though.
Logfile of HijackThis v1.97.7
Scan saved at 18:58:01, on 03/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\planetscott.ca\PopupBlock\PopupBlock.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\WINDOWS\System32\iexplore.exe
C:\winnt\system32\drivers\etc\csrss.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\winnt\system32\drivers\etc\lsass.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Temp\Greg\Programs\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.30.112.1:8080
O1 - Hosts: 66.159.20.52 www1.ndhosting.com
O1 - Hosts: 66.159.20.52 www3.ndhosting.com
O1 - Hosts: 66.159.20.52 www2.ndhosting.com
O1 - Hosts: 66.159.20.52 www.ndhosting.com
O1 - Hosts: 66.159.20.52 www.kinghost.com
O1 - Hosts: 66.159.20.52 kinghost.com
O1 - Hosts: 66.159.20.52 www1.kinghost.com
O1 - Hosts: 66.159.20.52 www2.kinghost.com
O1 - Hosts: 66.159.20.52 www3.kinghost.com
O1 - Hosts: 66.159.20.52 www4.kinghost.com
O1 - Hosts: 66.159.20.52 www5.kinghost.com
O1 - Hosts: 66.159.20.52 www6.kinghost.com
O1 - Hosts: 66.159.20.52 www7.kinghost.com
O1 - Hosts: 66.159.20.52 www8.kinghost.com
O1 - Hosts: 66.159.20.52 www9.kinghost.com
O1 - Hosts: 66.159.20.52 www10.kinghost.com
O1 - Hosts: 66.159.20.52 www.smutserver.com
O1 - Hosts: 66.159.20.52 smutserver.com
O1 - Hosts: 66.159.20.52 www1.smutserver.com
O1 - Hosts: 66.159.20.52 www2.smutserver.com
O1 - Hosts: 66.159.20.52 www16.smutserver.com
O1 - Hosts: 66.159.20.52 www3.smutserver.com
O1 - Hosts: 66.159.20.52 www4.smutserver.com
O1 - Hosts: 66.159.20.52 www5.smutserver.com
O1 - Hosts: 66.159.20.52 www6.smutserver.com
O1 - Hosts: 66.159.20.52 www7.smutserver.com
O1 - Hosts: 66.159.20.52 www8.smutserver.com
O1 - Hosts: 66.159.20.52 www9.smutserver.com
O1 - Hosts: 66.159.20.52 www10.smutserver.com
O1 - Hosts: 66.159.20.52 www11.smutserver.com
O1 - Hosts: 66.159.20.52 www12.smutserver
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\planetscott.ca\PopupBlock\PBHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [PopupBlock] C:\Program Files\planetscott.ca\PopupBlock\PopupBlock.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [HP Update 4300C] C:\sj657\hpupdate.exe 4300C
O4 - HKLM\..\Run: [windows update] iexplore.exe
O4 - HKLM\..\Run: [AAS] c:\winnt\system32\drivers\etc\check.bat
O4 - HKLM\..\Run: [csrss service] c:\winnt\system32\drivers\etc\csrss.exe
O4 - HKLM\..\Run: [secure] c:\winnt\system32\drivers\etc\secure.exe
O4 - HKLM\..\Run: [lsass service] c:\winnt\system32\drivers\etc\hidden32.exe c:\winnt\system32\drivers\etc\lsass.exe c:\winnt\system32\drivers\etc\ir.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\RunServices: [windows update] iexplore.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [windows update] iexplore.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet-5.8.1.28/f...l-ob-assets.cab (http://freecell.pogo.com/applet-5.8.1.28/freecell/freecell-ob-assets.cab)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab (http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38201.177974537 (http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38201.177974537)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab)
CornerPocket
08-03-2004, 06:01 PM
Many variants that can cause this (if indeed virii related) Nachi worm, Gaobot.A.; Gaobot.B, and some others cannot remember.
Gaobot (or some variation of this) can cause the antivirus (norton) to be disable as soon as boot up time.
Try this:
1. Detach machine from Lan/internet
2. use any other antivirus(other than norton) or use the free tool "stinger" from network associates
3. Clean the machine using the above tool
4. Install a firewall (sygate personal is free)
5. Install your antivirus
6. connect to lan/internet and download all security patches for ms xp.
If you indeed have a variant of this type, try using one of these to track it down:
STINGER
http://vil.nai.com/vil/stinger/
PANDA QUICK REMOVER:
http://www.pandasoftware.com/download/utilities/
*note* some of these viruses are pretty nasty with some replacing files such as svchost for SCVHOST (NOTICE THE SWITCHED V AND C). For some of the variants you might have to go to the registry and delete some entries manually.
Good luck!
I was browsing around lately when I had a wee infection on an unprotected system, and I found this board (http://forum.gladiator-antivirus.com/index.php?act=idx) very useful. They have ppl who know what to look for in a hijackthis-log better than me, at least. So if all else fails it might be worth a try.
dopey
08-03-2004, 07:56 PM
make a folder for hijack this, the program makes backups and your program files folder will get very cluttered.
rescan and check the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 66.159.20.52 www1.ndhosting.com
O1 - Hosts: 66.159.20.52 www3.ndhosting.com
O1 - Hosts: 66.159.20.52 www2.ndhosting.com
O1 - Hosts: 66.159.20.52 www.ndhosting.com
O1 - Hosts: 66.159.20.52 www.kinghost.com
O1 - Hosts: 66.159.20.52 kinghost.com
O1 - Hosts: 66.159.20.52 www1.kinghost.com
O1 - Hosts: 66.159.20.52 www2.kinghost.com
O1 - Hosts: 66.159.20.52 www3.kinghost.com
O1 - Hosts: 66.159.20.52 www4.kinghost.com
O1 - Hosts: 66.159.20.52 www5.kinghost.com
O1 - Hosts: 66.159.20.52 www6.kinghost.com
O1 - Hosts: 66.159.20.52 www7.kinghost.com
O1 - Hosts: 66.159.20.52 www8.kinghost.com
O1 - Hosts: 66.159.20.52 www9.kinghost.com
O1 - Hosts: 66.159.20.52 www10.kinghost.com
O1 - Hosts: 66.159.20.52 www.smutserver.com
O1 - Hosts: 66.159.20.52 smutserver.com
O1 - Hosts: 66.159.20.52 www1.smutserver.com
O1 - Hosts: 66.159.20.52 www2.smutserver.com
O1 - Hosts: 66.159.20.52 www16.smutserver.com
O1 - Hosts: 66.159.20.52 www3.smutserver.com
O1 - Hosts: 66.159.20.52 www4.smutserver.com
O1 - Hosts: 66.159.20.52 www5.smutserver.com
O1 - Hosts: 66.159.20.52 www6.smutserver.com
O1 - Hosts: 66.159.20.52 www7.smutserver.com
O1 - Hosts: 66.159.20.52 www8.smutserver.com
O1 - Hosts: 66.159.20.52 www9.smutserver.com
O1 - Hosts: 66.159.20.52 www10.smutserver.com
O1 - Hosts: 66.159.20.52 www11.smutserver.com
O1 - Hosts: 66.159.20.52 www12.smutserver
O4 - HKLM\..\Run: [windows update] iexplore.exe
O4 - HKLM\..\Run: [AAS] c:\winnt\system32\drivers\etc\check.bat
O4 - HKLM\..\Run: [csrss service] c:\winnt\system32\drivers\etc\csrss.exe
O4 - HKLM\..\Run: [secure] c:\winnt\system32\drivers\etc\secure.exe
O4 - HKLM\..\Run: [lsass service] c:\winnt\system32\drivers\etc\hidden32.exe c:\winnt\system32\drivers\etc\lsass.exe c:\winnt\system32\drivers\etc\ir.dll
O4 - HKLM\..\RunServices: [windows update] iexplore.exe
O4 - HKCU\..\Run: [windows update] iexplore.exe
this one is optional but really not needed:
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
close all browser windows and hit fix checked.
make sure hidden files are showing
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
reboot into safe mode (hit f8 during startup) and delete this file:
C:\WINDOWS\System32\iexplore.exe <--- (only the one in the system32 folder)
these files are very suspicious. can you navigate to the location and see if there's any info in the properties? (version, date created, etc)
C:\winnt\system32\drivers\etc\csrss.exe
c:\winnt\system32\drivers\etc\hidden32.exe c:\winnt\system32\drivers\etc\lsass.exe c:\winnt\system32\drivers\etc\ir.dll
c:\winnt\system32\drivers\etc\check.bat
c:\winnt\system32\drivers\etc\secure.exe
reboot into normal mode and post a new log, and whatever info you could find.
Chewie
08-03-2004, 10:44 PM
Originally posted by dopey@3 August 2004 - 19:57
these files are very suspicious. can you navigate to the location and see if there's any info in the properties? (version, date created, etc)
C:\winnt\system32\drivers\etc\csrss.exe
c:\winnt\system32\drivers\etc\hidden32.exe c:\winnt\system32\drivers\etc\lsass.exe c:\winnt\system32\drivers\etc\ir.dll
c:\winnt\system32\drivers\etc\check.bat
c:\winnt\system32\drivers\etc\secure.exe
reboot into normal mode and post a new log, and whatever info you could find.
Yes, they're malicious alright.
Notice they're in C:\WINNT\? A little odd given that the rest of the system is on C:\WINDOWS\!
I'd say get a second opinion online scan - Trend? There's a pinned topic somewhere (softwareworld?) that links to several online scanners.
In fact, after looking around a little... HERE'S (http://www.spywareinfo.com/forums/index.php?showtopic=30444) a user with a very similar problem.
Mïcrösöül°V³
08-03-2004, 11:45 PM
I have always found that the best thing to do, is either PAY for your anti-virus software (seeing as how its pretty much your ONLY defense), or using some of the free stuff that is out there. I will be the first to use cracked software of any kind EXCEPT for anti-virus or Firewall. Now, I had an issue similar to this one, and although i never got it figured out, I noticed that the problem was caused by something changing my sytem clock (when i would mouse over my clock, it would say "may 10, 9999" for example. I just reformatted and chalked it up to a badly cracked program (which i have many of :lol: ) so, narrowing it down was almost impossible, cuz Im impatient. :helpsmile:
gregster007
08-04-2004, 10:21 AM
I have fixed the main problem (thanks to dopey and Chewie UK) with NAV not loading because of some bogus command prompt.
It was to do with files within the c:\winnt subfolders; I just renamed and moved the folder to a temp location and all is ok now because its not running the bogus exe file as you can see below:
***********
Directory of C:\Temp\winnt.old\system32
31/07/2004 13:59 <DIR> .
31/07/2004 13:59 <DIR> ..
31/07/2004 13:59 <DIR> drivers
02/08/2004 12:05 <DIR> wins
0 File(s) 0 bytes
Directory of C:\Temp\winnt.old\system32\drivers
31/07/2004 13:59 <DIR> .
31/07/2004 13:59 <DIR> ..
04/08/2004 09:34 <DIR> etc
0 File(s) 0 bytes
Directory of C:\Temp\winnt.old\system32\drivers\etc
04/08/2004 09:34 <DIR> .
04/08/2004 09:34 <DIR> ..
03/07/2003 20:41 32,842 BugSlayerUtil.dll
20/07/2004 00:25 1,139 check.bat
06/04/2004 11:23 6,656 cygcrypt-0.dll
06/07/2003 21:46 68,016 cygregex.dll
20/07/2004 00:29 1,168 DCCINST.reg
29/08/2002 16:55 29,696 hidden32.exe
02/08/2004 12:06 1,400 ir.dll
31/07/2004 13:59 0 lhost.lm
31/07/2004 13:59 <DIR> logs
13/02/2004 17:11 226,276 lsass.exe
14/04/2003 20:11 44 reg1.bat
04/08/2004 09:34 1,969 ServUDaemon.ini
04/08/2004 09:34 529 ServUStartUpLog.txt
02/08/2004 12:06 5 shost.ls
20/07/2004 00:22 237 startme.bat
28/06/2003 17:47 227 sys.txt
29/07/2004 23:39 40,491 wingen.EXE
29/07/2004 23:33 1,203 wm.txt
17 File(s) 411,898 bytes
Directory of C:\Temp\winnt.old\system32\drivers\etc\logs
31/07/2004 13:59 <DIR> .
31/07/2004 13:59 <DIR> ..
0 File(s) 0 bytes
Directory of C:\Temp\winnt.old\system32\wins
02/08/2004 12:05 <DIR> .
02/08/2004 12:05 <DIR> ..
29/08/2002 16:55 22,016 KILL.EXE
29/07/2004 23:41 2,026,450 nsane.exe *******I noticed this file in c:\ and deleted it initially before the post and forgot to mention******
25/07/2004 17:40 1,187 start.bat
3 File(s) 2,049,653 bytes
Total Files Listed:
20 File(s) 2,461,551 bytes
14 Dir(s) 3,780,800,512 bytes free
C:\Temp\winnt.old\system32>
*********
Contents of the start.bat file is as follows:
@echo off
cd C:\winnt\system32\wins\
net stop anti-trojan
net stop antivirus
C:\WINNT\SYSTEM32\wins\kill.exe nvsvc32.exe
C:\WINNT\SYSTEM32\wins\kill.exe anti-trojan
C:\WINNT\SYSTEM32\wins\kill.exe antivirus
C:\WINNT\SYSTEM32\wins\kill.exe vrmonsvc.exe
C:\WINNT\SYSTEM32\wins\kill.exe killprocesssetup161.exe
C:\WINNT\SYSTEM32\wins\kill.exe vrmonNT.exe
C:\WINNT\SYSTEM32\wins\kill.exe monsvcNT.exe
C:\WINNT\SYSTEM32\wins\kill.exe navsched.exe
C:\WINNT\SYSTEM32\wins\kill.exe fxsvc.exe
C:\WINNT\SYSTEM32\wins\kill.exe clisvc.exe
C:\WINNT\SYSTEM32\wins\kill.exe mcshield.exe
C:\WINNT\SYSTEM32\wins\kill.exe mspmspsv.exe
C:\WINNT\SYSTEM32\wins\kill.exe norton_internet_secu_3.0_407.exe
C:\WINNT\SYSTEM32\wins\kill.exe ccap.exe
C:\WINNT\SYSTEM32\wins\kill.exe nprotect.exe
C:\WINNT\SYSTEM32\wins\kill.exe McVSEscn.exe
C:\WINNT\SYSTEM32\wins\kill.exe mcagent.exe
C:\WINNT\SYSTEM32\wins\kill.exe mcvsftsn.exe
C:\WINNT\SYSTEM32\wins\kill.exe CCAPP.exe
C:\WINNT\SYSTEM32\wins\kill.exe rmtcfg.exe
C:\WINNT\SYSTEM32\wins\kill.exe PCCPFW.exe
C:\WINNT\SYSTEM32\wins\kill.exe PCClient.exe
C:\WINNT\SYSTEM32\wins\kill.exe pccguide.exe
C:\WINNT\SYSTEM32\wins\nsane.exe
As you can see this was the bugger causing the problems; i suggest you all keep an eye-out for this as its new to me and looks like it was doing a lot of mis-chief!!
Could someone advise if its ok to delete the whole of the above folder (bogus winnt folder) as I am not sure if there are some files that windows may require (windows booted up fine with no errors though, but haven’t tried all my apps).
The problem with the iexplore.exe image is still happening, I tried what you said dopey but couldn’t find the file:
C:\WINDOWS\System32\iexplore.exe
to delete. Any further help would be much appreciated but not as urgent as it doesn’t actually affect my machine at all.
Thanks a lot all.
NB Below is another HiJack this log if anyone would like a look:
Logfile of HijackThis v1.97.7
Scan saved at 11:17:19, on 04/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\planetscott.ca\PopupBlock\PopupBlock.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\WINDOWS\System32\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\iexplore.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Temp\Greg\Programs\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.30.112.1:8080
O1 - Hosts: 66.159.20.52 www1.ndhosting.com
O1 - Hosts: 66.159.20.52 www3.ndhosting.com
O1 - Hosts: 66.159.20.52 www2.ndhosting.com
O1 - Hosts: 66.159.20.52 www.ndhosting.com
O1 - Hosts: 66.159.20.52 www.kinghost.com
O1 - Hosts: 66.159.20.52 kinghost.com
O1 - Hosts: 66.159.20.52 www1.kinghost.com
O1 - Hosts: 66.159.20.52 www2.kinghost.com
O1 - Hosts: 66.159.20.52 www3.kinghost.com
O1 - Hosts: 66.159.20.52 www4.kinghost.com
O1 - Hosts: 66.159.20.52 www5.kinghost.com
O1 - Hosts: 66.159.20.52 www6.kinghost.com
O1 - Hosts: 66.159.20.52 www7.kinghost.com
O1 - Hosts: 66.159.20.52 www8.kinghost.com
O1 - Hosts: 66.159.20.52 www9.kinghost.com
O1 - Hosts: 66.159.20.52 www10.kinghost.com
O1 - Hosts: 66.159.20.52 www.smutserver.com
O1 - Hosts: 66.159.20.52 smutserver.com
O1 - Hosts: 66.159.20.52 www1.smutserver.com
O1 - Hosts: 66.159.20.52 www2.smutserver.com
O1 - Hosts: 66.159.20.52 www16.smutserver.com
O1 - Hosts: 66.159.20.52 www3.smutserver.com
O1 - Hosts: 66.159.20.52 www4.smutserver.com
O1 - Hosts: 66.159.20.52 www5.smutserver.com
O1 - Hosts: 66.159.20.52 www6.smutserver.com
O1 - Hosts: 66.159.20.52 www7.smutserver.com
O1 - Hosts: 66.159.20.52 www8.smutserver.com
O1 - Hosts: 66.159.20.52 www9.smutserver.com
O1 - Hosts: 66.159.20.52 www10.smutserver.com
O1 - Hosts: 66.159.20.52 www11.smutserver.com
O1 - Hosts: 66.159.20.52 www12.smutserver
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\planetscott.ca\PopupBlock\PBHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [PopupBlock] C:\Program Files\planetscott.ca\PopupBlock\PopupBlock.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [HP Update 4300C] C:\sj657\hpupdate.exe 4300C
O4 - HKLM\..\Run: [windows update] iexplore.exe
O4 - HKLM\..\Run: [AAS] c:\winnt\system32\drivers\etc\check.bat
O4 - HKLM\..\Run: [csrss service] c:\winnt\system32\drivers\etc\csrss.exe
O4 - HKLM\..\Run: [secure] c:\winnt\system32\drivers\etc\secure.exe
O4 - HKLM\..\Run: [lsass service] c:\winnt\system32\drivers\etc\hidden32.exe c:\winnt\system32\drivers\etc\lsass.exe c:\winnt\system32\drivers\etc\ir.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\RunServices: [windows update] iexplore.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [windows update] iexplore.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet-5.8.1.28/f...l-ob-assets.cab (http://freecell.pogo.com/applet-5.8.1.28/freecell/freecell-ob-assets.cab)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab (http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38201.177974537 (http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38201.177974537)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab)
dopey
08-04-2004, 07:34 PM
wow. :o
and after all that, your hijack this log is nearly identical.
so, try again.
rescan and check the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 66.159.20.52 www1.ndhosting.com
O1 - Hosts: 66.159.20.52 www3.ndhosting.com
O1 - Hosts: 66.159.20.52 www2.ndhosting.com
O1 - Hosts: 66.159.20.52 www.ndhosting.com
O1 - Hosts: 66.159.20.52 www.kinghost.com
O1 - Hosts: 66.159.20.52 kinghost.com
O1 - Hosts: 66.159.20.52 www1.kinghost.com
O1 - Hosts: 66.159.20.52 www2.kinghost.com
O1 - Hosts: 66.159.20.52 www3.kinghost.com
O1 - Hosts: 66.159.20.52 www4.kinghost.com
O1 - Hosts: 66.159.20.52 www5.kinghost.com
O1 - Hosts: 66.159.20.52 www6.kinghost.com
O1 - Hosts: 66.159.20.52 www7.kinghost.com
O1 - Hosts: 66.159.20.52 www8.kinghost.com
O1 - Hosts: 66.159.20.52 www9.kinghost.com
O1 - Hosts: 66.159.20.52 www10.kinghost.com
O1 - Hosts: 66.159.20.52 www.smutserver.com
O1 - Hosts: 66.159.20.52 smutserver.com
O1 - Hosts: 66.159.20.52 www1.smutserver.com
O1 - Hosts: 66.159.20.52 www2.smutserver.com
O1 - Hosts: 66.159.20.52 www16.smutserver.com
O1 - Hosts: 66.159.20.52 www3.smutserver.com
O1 - Hosts: 66.159.20.52 www4.smutserver.com
O1 - Hosts: 66.159.20.52 www5.smutserver.com
O1 - Hosts: 66.159.20.52 www6.smutserver.com
O1 - Hosts: 66.159.20.52 www7.smutserver.com
O1 - Hosts: 66.159.20.52 www8.smutserver.com
O1 - Hosts: 66.159.20.52 www9.smutserver.com
O1 - Hosts: 66.159.20.52 www10.smutserver.com
O1 - Hosts: 66.159.20.52 www11.smutserver.com
O1 - Hosts: 66.159.20.52 www12.smutserver
O4 - HKLM\..\Run: [windows update] iexplore.exe
O4 - HKLM\..\Run: [AAS] c:\winnt\system32\drivers\etc\check.bat
O4 - HKLM\..\Run: [csrss service] c:\winnt\system32\drivers\etc\csrss.exe
O4 - HKLM\..\Run: [secure] c:\winnt\system32\drivers\etc\secure.exe
O4 - HKLM\..\Run: [lsass service] c:\winnt\system32\drivers\etc\hidden32.exe c:\winnt\system32\drivers\etc\lsass.exe c:\winnt\system32\drivers\etc\ir.dll
O4 - HKLM\..\RunServices: [windows update] iexplore.exe
O4 - HKCU\..\Run: [windows update] iexplore.exe
this one is optional but really not needed:
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
close all browser windows and hit fix checked.
download the process explorer from here:
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
reboot into safe mode and run hijack this once more. see if that rogue iexplore is running. unlike task manager the process explorer shows the path of the file. highlight the C:\WINDOWS\System32\iexplore.exe, if present and fix it with hijack this.
then delete the file: C:\WINDOWS\System32\iexplore.exe.
as for that strange winnt folder, you can check the files individually here:
http://www.kaspersky.com/scanforvirus
but somehow, i doubt you will still need any part of that trojan.
the only difference in your log is the lack of those winnt files in your active processes so perhaps, you will be successful this time.
reboot into normal mode and post a fresh log.
Powered by vBulletin® Version 4.2.3 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.