Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

B

billkill

7 Posts

1190

May 15th, 2006 12:00

hjp+ vundofix logs. Sysprotect, errorsafe, winfixer ......

​ ​​VUNDOFIX​​ ​
​ ​​ ​
​VundoFix V4.2.74 ​
​ Running as SYSTEM ​
​from c:\windows\system32\VundoFix.exe ​
​ Checking Java version... ​
​ Sun Java not detected ​
​Scan started at 15:45:04 15.05.2006 ​
​ Listing files found while scanning.... ​
​ C:\WINDOWS\System32\wvwtr.dll ​
​C:\WINDOWS\System32\ljjjh.dll ​
​C:\WINDOWS\System32\hjjjl.ini ​
​C:\WINDOWS\System32\hjjjl.bak1 ​
​C:\WINDOWS\System32\hjjjl.bak2 ​
​C:\WINDOWS\System32\hjjjl.ini2 ​
​C:\WINDOWS\System32\hjjjl.tmp ​
​ C:\WINDOWS\system32\hjjjl.bak1 ​
​C:\WINDOWS\system32\hjjjl.bak2 ​
​C:\WINDOWS\system32\hjjjl.tmp ​
​C:\WINDOWS\system32\hjjjl.ini ​
​C:\WINDOWS\system32\hjjjl.ini2 ​
​C:\WINDOWS\system32\ljjjh.dll ​
​C:\WINDOWS\system32\hjjjl.ini2 ​
​C:\WINDOWS\system32\hjjjl.bak2 ​
​C:\WINDOWS\system32\hjjjl.tmp ​
​C:\WINDOWS\system32\hjjjl.ini ​
​C:\WINDOWS\system32\hjjjl.ini2 ​
​C:\WINDOWS\system32\ljjjh.dll ​
​ Attempting to delete C:\WINDOWS\System32\ljjjh.dll ​
​C:\WINDOWS\System32\ljjjh.dll Has been deleted! ​
​ Attempting to delete C:\WINDOWS\System32\hjjjl.ini ​
​C:\WINDOWS\System32\hjjjl.ini Has been deleted! ​
​ Attempting to delete C:\WINDOWS\System32\hjjjl.bak1 ​
​C:\WINDOWS\System32\hjjjl.bak1 Has been deleted! ​
​ Attempting to delete C:\WINDOWS\System32\hjjjl.bak2 ​
​C:\WINDOWS\System32\hjjjl.bak2 Has been deleted! ​
​ Attempting to delete C:\WINDOWS\System32\hjjjl.ini2 ​
​C:\WINDOWS\System32\hjjjl.ini2 Has been deleted! ​
​ Attempting to delete C:\WINDOWS\System32\hjjjl.tmp ​
​C:\WINDOWS\System32\hjjjl.tmp Has been deleted! ​
​ Performing Repairs to the registry. ​
​Done! ​
​ ​
​ ​
​ ​​HJT​​ ​
​Logfile of HijackThis v1.99.1 ​
​Scan saved at 15:09:34, on 15.05.2006
​Platform: Windows XP SP2 (WinNT 5.01.2600) ​
​MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) ​
​ Running processes: ​
​C:\WINDOWS\System32\smss.exe ​
​C:\WINDOWS\system32\winlogon.exe ​
​C:\WINDOWS\system32\services.exe ​
​C:\WINDOWS\system32\lsass.exe ​
​C:\WINDOWS\system32\svchost.exe ​
​C:\WINDOWS\System32\svchost.exe ​
​C:\WINDOWS\Explorer.EXE ​
​C:\WINDOWS\system32\spoolsv.exe ​
​C:\WINDOWS\BCMSMMSG.exe ​
​C:\Programfiler\Network\ipnetwork.exe ​
​C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe ​
​C:\WINDOWS\system32\hkcmd.exe ​
​C:\WINDOWS\system32\igfxpers.exe ​
​C:\WINDOWS\system32\ctfmon.exe ​
​C:\Programfiler\Messenger\msmsgs.exe ​
​C:\WINDOWS\system32\igfxsrvc.exe ​
​C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe ​
​C:\Programfiler\Norton AntiVirus\navapsvc.exe ​
​C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe ​
​C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe ​
​C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe ​
​C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe ​
​C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe ​
​C:\Programfiler\Internet Explorer\iexplore.exe ​
​C:\Programfiler\Fellesfiler\Symantec Shared\Security Console\NSCSRVCE.EXE ​
​C:\Programfiler\Internet Explorer\iexplore.exe ​
​C:\Programfiler\Fellesfiler\Microsoft Shared\Source Engine\OSE.EXE ​
​C:\hjt\HijackThis.exe ​
​ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ​​http://www.dagbladet.no/​​ ​
​R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger ​
​O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\System32\wvwtr.dll (file missing) ​
​O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\ljjjh.dll ​
​O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file) ​
​O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll ​
​O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programfiler\Norton AntiVirus\NavShExt.dll ​
​O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe ​
​O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe ​
​O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\iexplore.exe ​
​O4 - HKLM\..\Run: [IpNetwork] C:\Programfiler\Network\ipnetwork.exe ​
​O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" ​
​O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe ​
​O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe ​
​O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe ​
​O4 - HKLM\..\Run: [Windows Update Manager] C:\WINDOWS\system32\taskbar.exe ​
​O4 - HKLM\..\RunServices: [AdobeReaderPro] scdhost.exe ​
​O4 - HKLM\..\RunServices: [Windows Update Manager] C:\WINDOWS\system32\taskbar.exe ​
​O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe ​
​O4 - HKCU\..\Run: [Ousukwx] C:\Documents and Settings\Eier\Mine dokumenter\?ppPatch\?xplorer.exe ​
​O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background ​
​O4 - HKCU\..\Run: [Pbca] "C:\WINDOWS\DOBE~1\winword.exe" -vt ndrv ​
​O4 - HKCU\..\Run: [Windows Update Manager] C:\WINDOWS\system32\taskbar.exe ​
​O8 - Extra context menu item: &Google-søk - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmsearch.html ​
​O8 - Extra context menu item: &Oversett engelsk ord - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmwordtrans.html ​
​O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 ​
​O8 - Extra context menu item: Koblinger bakover - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmbacklinks.html ​
​O8 - Extra context menu item: Lignende sider - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmsimilar.html ​
​O8 - Extra context menu item: Øyeblikksbilde av siden i hurtigbufferen - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmcache.html ​
​O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL ​
​O9 - Extra button: POKER - {FB389F33-303A-4490-9E18-B301A493FBF2} - C:\Programfiler\PokermMPP\MPPoker.exe ​
​O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe ​
​O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe ​
​O15 - Trusted Zone: ​​http://click.getmirar.com​​ (HKLM) ​
​O15 - Trusted Zone: ​​http://click.mirarsearch.com​​ (HKLM) ​
​O15 - Trusted Zone: ​​http://redirect.mirarsearch.com​​ (HKLM) ​
​O15 - Trusted Zone: ​​http://awbeta.net-nucleus.com​​ (HKLM) ​
​O16 - DPF: {012F24D4-35B0-11D0-BF2D-0000E8D0D156} (InstallControl Class) - ​​http://activex.casinosupportservice.com/Version3.0/InstallHelper.cab​​ ​
​O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - ​​http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab?cab80353058bcf0ce3da59ee28f45ce5feb8d117e9ea4c3d973fe8031e6d7398266682bd3d88c01b5d910ccc5602cbaa5d5ec9c15a48c4161e8c8c3511:cdad2fa528392eb811684f447e16e930​​ ​
​O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - ​​http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab?cab80353058bcf0ce3da59ee28f45ce5feb8d117e9ea4c3d973fe8031e6d7398266682bd3d88c01b5d910ccc5602cbaa5d5ec9c15a48c4161e8c8c3511:cdad2fa528392eb811684f447e16e930​​ ​
​O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll ​
​O20 - Winlogon Notify: ljjjh - C:\WINDOWS\System32\ljjjh.dll ​
​O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll ​
​O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe ​
​O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe ​
​O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe ​
​O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe ​
​O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Console\NSCSRVCE.EXE ​
​O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\SAVScan.exe ​
​O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe ​
​O23 - Service: SPBBCSvc - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe ​
​O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe ​
​ ​
​ ​
​ What now? Please help, thank you:) ​

RKinner

5.9K Posts

May 16th, 2006 14:00


Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see
the PC maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Log in as your usual login or you won't find
the programs you put on the desktop
and some of the entries we want to remove will not appear in HijackTHis.

Run HijackThis and just do a Scan only. Check  then Fix Checked the following:
 

O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\System32\wvwtr.dll (file missing)
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\ljjjh.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\winIogon.exe
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\iexplore.exe
O4 - HKLM\..\Run: [IpNetwork] C:\Programfiler\Network\ipnetwork.exe
O4 - HKLM\..\Run: [Windows Update Manager] C:\WINDOWS\system32\taskbar.exe
O4 - HKLM\..\RunServices: [AdobeReaderPro] scdhost.exe
O4 - HKLM\..\RunServices: [Windows Update Manager] C:\WINDOWS\system32\taskbar.exe
O4 - HKCU\..\Run: [Ousukwx] C:\Documents and Settings\Eier\Mine dokumenter\?ppPatch\?xplorer.exe
O4 - HKCU\..\Run: [Pbca] "C:\WINDOWS\DOBE~1\winword.exe" -vt ndrv
O4 - HKCU\..\Run: [Windows Update Manager] C:\WINDOWS\system32\taskbar.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {012F24D4-35B0-11D0-BF2D-0000E8D0D156} (InstallControl Class) - http://activex.casinosupportservice.com/Version3.0/InstallHelper.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab?cab80353058bcf0ce3da59ee28f45ce5feb8d117e9ea4c3d973fe8031e6d7398266682bd3d88c01b5d910ccc5602cbaa5d5ec9c15a48c4161e8c8c3511:cdad2fa528392eb811684f447e16e930
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab?cab80353058bcf0ce3da59ee28f45ce5feb8d117e9ea4c3d973fe8031e6d7398266682bd3d88c01b5d910ccc5602cbaa5d5ec9c15a48c4161e8c8c3511:cdad2fa528392eb811684f447e16e930
O20 - Winlogon Notify: ljjjh - C:\WINDOWS\System32\ljjjh.dll

Then close HJT and reboot and run the Vundofix again.

Post a new HJT log as a reply when done

Ron

billkill

7 Posts

May 17th, 2006 05:00

Here is the new hjt-log:
 
 
 
Logfile of HijackThis v1.99.1
Scan saved at 08:16:02, on 17.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dagbladet.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\RunServices: [Windows Update Manager] C:\WINDOWS\system32\taskbar.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Update Manager] C:\WINDOWS\system32\taskbar.exe
O8 - Extra context menu item: &Google-søk - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Oversett engelsk ord - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Koblinger bakover - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Lignende sider - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Øyeblikksbilde av siden i hurtigbufferen - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: POKER - {FB389F33-303A-4490-9E18-B301A493FBF2} - C:\Programfiler\PokermMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
 

billkill

7 Posts

May 17th, 2006 16:00

I did the hjt, misc, open process manager - but the C:\WINDOWS\system32\taskbar.exe didnt appear there... Could i just fixcheck these 2 or...?

O4 - HKLM\..\RunServices: [Windows Update Manager] C:\WINDOWS\system32\taskbar.exe
O4 - HKCU\..\Run: [Windows Update Manager] C:\WINDOWS\system32\taskbar.exe

bård

RKinner

5.9K Posts

May 17th, 2006 16:00

Making progress.  These two are left:

O4 - HKLM\..\RunServices: [Windows Update Manager] C:\WINDOWS\system32\taskbar.exe
O4 - HKCU\..\Run: [Windows Update Manager] C:\WINDOWS\system32\taskbar.exe

HJT, Misc Tools, Open Process Manager and highlight C:\WINDOWS\system32\taskbar.exe then Kill Process.  Close the Process manager and press the Back button then Scan.  Check the above two lines and Fix Checked.

Reboot and do another HJT log and let's see if they came back again.

Ron

RKinner

5.9K Posts

May 17th, 2006 17:00

Sure.  Maybe we will get lucky.  Could be the file is missing already and HJT didn't notice.
 
Ron

billkill

7 Posts

May 18th, 2006 00:00

I checkfixed the 2 items and rebooted. Here's the new hjtlog:

 

Logfile of HijackThis v1.99.1
Scan saved at 03:53:33, on 18.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dagbladet.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google-søk - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Oversett engelsk ord - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Koblinger bakover - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Lignende sider - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Øyeblikksbilde av siden i hurtigbufferen - res://C:\Programfiler\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: POKER - {FB389F33-303A-4490-9E18-B301A493FBF2} - C:\Programfiler\PokermMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe

How does this look?

RKinner

5.9K Posts

May 18th, 2006 01:00

Looks good.  Any problems left?

Ron

billkill

7 Posts

May 18th, 2006 07:00

Thank you for quick and precise help. I see no signs left of sysprotect and those things so hopefully that problem is solved. The computer still hangs up and freezes ocasionally though, dont know what it is........

RKinner

5.9K Posts

May 18th, 2006 13:00

A Few Recommendations.
 
You can delete any programs we had you install but leave Hijackthis for now.  You can also run Hijackthis, View the List of Backups and Delete All.  If we used killbox its backup files can be removed now too.  Run Killbox and select File, Cleanup, Delete All Backups.  If you have an antivirus, check its quarantined files and delete any it had found.
 
You should also definitely toggle System Restore Off and then back On.
Following site has very clear instructions for turning it off.  To turn it back on you just repeat the instructions but uncheck the box where it says to Turn Off System Restore on all Drives.
 
The reason we do this is to remove any archived copies of the infection from System Restore so that if you have to use SYstem Restore to fix a problem you won't accidentally reinfect your system.  The next link explains how to use System Restore to go back in time if you hit a bad site or get infected.
 

One way to make an infection more obvious is to check everything in your current HijackThis and Add to Ignore List then set up Hijackthis to run at boot and to show you if it finds anything new.  You do this by None of the Above Just start the program, Config (Main) and then check the box in front of Run Hiajckthis at startup and show it when items are found.  OK.  Then if Hijackthis opens after a boot it will show you any new programs that have been added.  You can then decide if you want to keep them or not.  If in doubt you can google for the .exe or .dll file at the end of the entry and see if what other people think of it.
 
To avoid going to a bad site you might want to install IE-SpyAd and SpywareBlaster and make the other changes recommended at:.
http://www.mvps.org/winhelp2002/restricted.htm
I used to recommend Spybot's Immunize system but have recently learned it is not as good as the one at:
http://www.mvps.org/winhelp2002/hosts.htm
Always run a firewall.  The one in XP SP2 is pretty good tho I think the free one from Zone Alarm is better.
Turn on Autoupdates so you always get the latest patches from Windows.
Never hurts to do one of the free on line scans from Panda or Trend.  They take a while but are pretty good.
www.pandasoftware.com/activescan/activescan.asp?

http://uk.trendmicro-europe.com/consumer/housecall/housecall_launch.php (works with both java and activeX browsers)
or
http://housecall60.trendmicro.com/en/start_corp.asp?id=scan (activeX only, but with some extra useful option
I like to run Spybot S&D. 
http://www.safer-networking.org/en/download/index.html
Also like to run AdAware once in a while. 
http://www.lavasoftusa.com/software/adaware/
 Make sure you have removed any older versions of Java or JRE  with Control Panel, Add/Remove Programs.  Updates do not remove the older versions which have exploitable flaws.
If you have an older PC get rid of Microsoft Java Virtual Machine. 
Following site explains how to tell if you have it:
The automated removal tool is no longer available on Microsoft's site but can be obtained here:
Download the MSJVM Removal Tool from:
http://www.majorgeeks.com/download4158.html
 
and run it.
 
If you feel that Internet Explorer is running a bit slower after the latest Java update you can try checking this line and then Fix Checked.
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

It was added by the latest version of Java.  We don't know why.  Earlier versions did not have it.  It has been proven to slow down connections on some systems and removing it doesn't seem to hurt anything.
Other items you may wish to get rid of if you own a Dell are:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
THese are from the MyWay Adware program installed on most Dells.  The uninstaller was broken on many of them.
 To remove just close Internet Explorer, run HijackThis (scan only) and check them then Fix Checked.

If you are not running the latest version of Adobe you should consider updating.  There are reports of a loophole for hackers in pre 7.03 versions.
As an alternative you can dump adobe completely and use fox-it instead:
http://www.foxitsoftware.com/pdf/rd_intro.php
If you do not have an antivirus program or the one you have was a trial that has expired then try the free antivirus for home users from Avast!
http://www.avast.com/eng/download-avast-home.html  (Uninstall any other antivirus program first.)
If you run Macromedia Flash make sure you have the latest version.  We just got a warning the following versions are vulnerable:
* Flash Player 8.0.22.0 and earlier
* Flash Professional 8
* Flash Basic
* Flash MX 2004
* Flash Debug Player 7.0.14.0 and earlier
* Flex 1.5
* Breeze Meeting Add-In 5.1 and earlier
* Adobe Macromedia Shockwave Player 10.1.0.11 and earlier
Also advise you to dump weatherbug if you have it. Start, Control Panel, Add/Remove Programs. 
If you need weather then get The Weather Channel's program at:
http://www.weather.com/services/desktop.html?from=wxtoolspage&refer=wxtoolspage

 

View More

View All

No Events found!

Top