windows explorer crashes

michaelsubtonik · 10-15-2005, 09:36 PM

windows explorer crashes on boot up, even in safe mode. If I use the task manager to end process explorer.exe, I can launch applications and run them fine with the "new task" option... Im unsure what is causing explorer to crash everything.

Help !

thanks : )

Michael

Logfile of HijackThis v1.99.1
Scan saved at 1:11:17 PM, on 16/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\devldr32.exe
D:\anit virus stuff\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {93336822-F4C1-AF1D-E76D-F47A94E10EE5} - C:\WINDOWS\system32\ejk.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{07F31DF4-24AB-403F-9962-6E1F5FAE7D0B}: NameServer = 85.255.113.130,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2B90886-2AA6-4501-B966-B7A22D9E0A44}: NameServer = 85.255.113.130,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA7E4442-574D-46F1-9A0F-1B063193247E}: NameServer = 85.255.113.130,85.255.112.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{07F31DF4-24AB-403F-9962-6E1F5FAE7D0B}: NameServer = 85.255.113.130,85.255.112.19
O20 - Winlogon Notify: style32 - c:\ms32.tmp
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

**RavenMind** · 10-15-2005, 11:01 PM

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back to address your problem A.S.A.P.

Please Subscribe to this thread, (Thread Tools->Subscribe to this Thread) so that you are notified when a reply has been made.

Please be patient with me during this time.

In the mean time, please download & run a scarn with AdAware SE Personal. Keep the default options, however, some of the settings will need to be changed before your first scan.

Close ALL windows except Ad-Aware SE.
Click on the ‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
1. In the ‘General’ window make sure the following are selected in green:
  1. Under [Safety]:
    - Automatically save log-file
  2. Automatically quarantine objects prior to removal
  3. Safe Mode (always request confirmation)
2. Under [Definitions]:
  - Prompt to update outdated definitions - set the [number of days]
Click on the ‘Scanning’ button on the left and select in green:
1. Under [Driver, Folders & Files]:
  - Scan Within Archives
2. Under Select drives & folders to scan:
  - choose all hard drives
3. Under [Memory & Registry]: all green
  - Scan Active Processes
  - Scan Registry
  - Deep Scan Registry
  - Scan my IE favorites for banned URL’s
  - Scan my Hosts file
Click on the [‘Advanced’] button on the left and select in green:
1. Under [Shell Integration]:
  - Move deleted files to recycle bin
2. Under [Logfile Detail Level]: all green
  - include addtional object information
  - DESELECT - include negligible objects information
  - include environment information
3. Under [Alternate Data Streams]:
  - Don't log streams smaller than 0 bytes
  - Don't log ADS with the following names: [CA_INOCULATEIT]
Click the ‘Tweak’ button and select in green:
1. Under [Scanning Engine]:
  - Unload recognized processes during scanning
  - Scan registry for all users instead of current user only
2. Under [Cleaning Engine]:
  - Let Windows remove files in use at next reboot
3. Under [Log Files]:
  - Include basic Ad-aware SE settings in logfile
  - Include additional Ad-aware SE settings in logfile
  - Please do not Select: Include Module list in logfile
Click on ‘Proceed’ to save the settings.
Click ‘Start’
Choose 'Perform Full System Scan'
DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
Right-click on the list and choose [Select All]
Click the [Next] button to finish removing the items that were found
When finished, REBOOT to complete the removal of what Ad-Aware SE found

-----------------------------------------------------------------------

Next perform an online scan with Internet Explorer with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Standard
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

------------------------------------------------------------------------

Please reply back with the Kaspersky log, a fresh HJT log in Normal Mode, and anything AdAware fails to clean.

Thanks,

RavenMind

michaelsubtonik · 10-16-2005, 08:39 AM

Thanks for replying so quickly ! : )

The online scan took quite a while... but it finally made it through a full scan of my PC.

Kaspersky found this :

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, October 17, 2005 00:32:17
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/10/2005
Kaspersky Anti-Virus database records: 145074
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 106209
Number of viruses found: 3
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 13821 sec

Infected Object Name - Virus Name
C:\ms32.tmp Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{35AD59EB-21E3-4539-B284-06A52C1B5351}\RP74\A0008892.exe Infected: Trojan-Downloader.Win32.Delf.ks
D:\System Volume Information\_restore{7FE14B5E-E530-4CF5-AC1D-0F35B5FFD583}\RP61\A0022250.exe Infected: Virus.Win32.Parite.b
D:\System Volume Information\_restore{7FE14B5E-E530-4CF5-AC1D-0F35B5FFD583}\RP61\A0022251.exe Infected: Virus.Win32.Parite.b

Scan process completed.

After the scan I rescanned with HTJ.

Logfile of HijackThis v1.99.1
Scan saved at 12:35:47 AM, on 17/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\camera drivers\USBDriver\amcap.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\anit virus stuff\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {93336822-F4C1-AF1D-E76D-F47A94E10EE5} - C:\WINDOWS\system32\ejk.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07F31DF4-24AB-403F-9962-6E1F5FAE7D0B}: NameServer = 85.255.113.130,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2B90886-2AA6-4501-B966-B7A22D9E0A44}: NameServer = 85.255.113.130,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA7E4442-574D-46F1-9A0F-1B063193247E}: NameServer = 85.255.113.130,85.255.112.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{07F31DF4-24AB-403F-9962-6E1F5FAE7D0B}: NameServer = 85.255.113.130,85.255.112.19
O20 - Winlogon Notify: style32 - c:\ms32.tmp
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

cheers

Michael

michaelsubtonik · 10-16-2005, 08:40 AM

oh yeah I forgot to mention that adaware found nothing...

**RavenMind** · 10-17-2005, 12:14 PM

Hello, Michael. Thank you for being patient while I reviewed your log!

Important: Copy this page into Notepad & save it. You may also want to print out a copy of these instructions in case you are unable to access Notepad during the fix. Make sure to work through the fixes in the exact order they are presented. If there is anything that you don't understand, ask me about it before proceeding with the fixes. It is important to close all browsers (Internet Explorer, My Computer, etc.) or windows when you are running any scans, tools, or HJT.

Enable the viewing of hidden files/folders:

Go to My Computer > Tools > Folder Options > “View” tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible too.
Downloads:

CleanUp!
The Temp folders are a popular place for malware to hide out, plus installation programs tend to leave a lot of junk in there. Download and install CleanUp! to clean out your temps, but do not run it yet.

Ewido Security Suite. Download & install Ewido, then update it's database. Do not run it yet.
Reboot into Safe Mode.
Restart the computer. While it’s booting up, tap the F8 key until a numbered menu appears. Choose “Safe Mode”, press Enter, and Windows will continue to load.
Suspicious Address:

Quote:

85.255.113.130, 85.255.112.19

These addresses appear linked to a company called Inhoster out of the Ukraine (a hotbed for malware & spam). If you don’t recognize them then please remove them with HJT. (Next step)
HiJackThis Entries:

Run a scan in HijackThis. Place a check mark next to the following entries if they still exist:

O2 - BHO: (no name) - {93336822-F4C1-AF1D-E76D-F47A94E10EE5} - C:\WINDOWS\system32\ejk.dll (file missing)
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{07F31DF4-24AB-403F-9962-6E1F5FAE7D0B}: NameServer = 85.255.113.130,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2B90886-2AA6-4501-B966-B7A22D9E0A44}: NameServer = 85.255.113.130,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA7E4442-574D-46F1-9A0F-1B063193247E}: NameServer = 85.255.113.130,85.255.112.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{07F31DF4-24AB-403F-9962-6E1F5FAE7D0B}: NameServer = 85.255.113.130,85.255.112.19
O20 - Winlogon Notify: style32 - c:\ms32.tmp

Please make sure to close all open windows & browsers, then click Fix Checked.
File Deletions:
Delete the following FILES indicated in RED.
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\ejk.dll
c:\ ms32.tmp
Flush System Restore Points
This should get rid of the last 3 entries in your Kaspersky log.

Turn off System Restore:
1. Right-click "My Computer"
2. Click "Properties"
3. Click the "System Restore" tab
4. Check "Turn off System Restore" or "Turn off System Restore on all drives".
5. Click "Apply"
  When turning off System Restore, the existing restore points will be deleted.
  - Click "Yes" to proceed
6. Click "OK"
Reboot your System.

Turn on System Restore
1. Right-click "My Computer"
2. Click "Properties"
3. Click the "System Restore" tab
4. Un-Check "Turn off System Restore" or "Turn off System Restore on all drives".
5. Click "Apply"
6. Click "OK"
Note: It is very important to remember to turn system restore back on after reboot! If you do not, System Restore will remain deactivated & you will not have any previous points to restore back to should it become necessary to do so.

While system is booting, please go back to Safe Mode.
Run Cleanup!
Configure the program as follows:
1. Click Options...
2. Move the arrow down to Custom CleanUp!
3. Put a check next to the following:
  - Empty Recycle Bins
  - Delete Cookies
  - Delete Prefetch files
  - [X]Scan local drives for temporary files (Please uncheck this option)
  - Cleanup! All Users
4. Click OK
5. Press the CleanUp! button to start the program. Reboot when prompted.
* CleanUp! will delete all the files in your temp folders without making a backup! If you have a 64 bit Operating System do NOT run CleanUp. Let me know and we will use another utility.
Reboot into Normal Mode.
Jotti File Submission:

Quote:

C:\Windows\System32\wininet.dll

You have a suspicious file or files I would like to take a closer look at. Please upload the following files for analysis at Jotti.
- Once at the site press the “Browse” button
- Navigate to the first file, select, and click “Open”
  This should bring you back to the webpage.
- Click “Submit” on the Jotti webpage
It may take a while to upload the files & analyze them. You should then be presented with another page listing results for several different scanners. Please let me know if they found anything.

(If you are unable to find wininet.dll under C:\Windows\System32, try looking at C:\WinNT(\System32), or do a search for it: Start > Search > For Files or Folders..)

Please post the following items in your next reply:
Fresh HJT log in Normal Mode

If you are using dial-up

Results of the Jotti submission

michaelsubtonik · 10-18-2005, 05:04 AM

Hi there,

the PC certainly seems to be a lot better. explorer is not crashing and I can navigate without the need for the task manager.

I am using ADSL broadband.

thanks ! : )

new HJT log and Jotti results below.

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 8:59:03 PM, on 18/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
D:\anit virus stuff\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O20 - Winlogon Notify: style32 - c:\ms32.tmp (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

jotti submission results

File: wininet.dll
Status:
OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 c0823fc5469663ba63e7db88f9919d70
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

**RavenMind** · 10-20-2005, 10:51 AM

Hello michael. Glad to hear your system is running better! There's just one more entry that we need to take care of.

Reboot into Safe Mode, & run a scan in HijackThis.

Place a check mark next to the following entry:

O20 - Winlogon Notify: style32 - c:\ms32.tmp (file missing)

Please make sure to close all open windows & browsers, then click Fix Checked.

Reboot into Normal Mode & post a fresh HJT log.

michaelsubtonik · 10-24-2005, 04:19 PM

Hi there,

thanks for waiting... :)

Here is a fresh HJT log after reboot and clean in safe mode :

cheers

Michael

Logfile of HijackThis v1.99.1
Scan saved at 8:15:36 AM, on 25/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
D:\anit virus stuff\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

**RavenMind** · 10-25-2005, 02:44 PM

Congratulations, your log now appears clean!

We have just a few more steps to go before we're finished.

Reset Hidden & System Files/Folders.
1. Click "Start"
2. Open "My Computer"
3. Select the "Tools" menu and click "Folder Options"
4. Select the "View" tab
5. Deselect the "Show hidden files and folders" option
6. Select the "Hide file extensions for known types" option
7. Select the "Hide protected operating system files" option
8. Click "Yes" to confirm
9. Click "OK"
Clear Java Cache
1. Click "Start" > "Settings" > "Control Panel"
2. Click the "Java Plugin" icon
3. Click the "Cache" tab
4. Click the "Clear" button
5. Click "OK" to confirm
Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel

Follow the instructions outlined here to clear Sun's Java cache.
Flush System Restore Points

Turn off System Restore:
1. Right-click "My Computer"
2. Click "Properties"
3. Click the "System Restore" tab
4. Check "Turn off System Restore" or "Turn off System Restore on all drives".
5. Click "Apply"
  When turning off System Restore, the existing restore points will be deleted.
  - Click "Yes" to proceed
6. Click "OK"
Reboot your System.

Turn on System Restore
1. Right-click "My Computer"
2. Click "Properties"
3. Click the "System Restore" tab
4. Un-Check "Turn off System Restore" or "Turn off System Restore on all drives".
5. Click "Apply"
6. Click "OK"
Note: It is very important to remember to turn system restore back on after reboot! If you do not, System Restore will remain deactivated & you will not have any previous points to restore back to should it become necessary to do so.

Preventative Measures:

Use an Alternative Browser. Most of the spyware/viruses/trojans out today target known flaws in I.E. Using an alternative browser closes most of those loopholes & you will find yourself getting far fewer (if any) infections. I'm a fan of FireFox for it's functionality, security, & low demand on system resources. Here are a few of the more popular alternative browsers:
- FireFox
- Opera
- Netscape
Secure Internet Explorer. If you choose to stay with Internet Explorer, your likelihood of reinfection is much higher. Therefore you should follow these steps to help make I.E. more secure.
- Don't add sites to the "Trusted Zone". Ever.
- Download IESpyAd. This will add over 4000 known bad websites to the Restricted Zones list & help prevent you from being redirected to them.
- Download & install Javacool's SpywareBlaster. This program will help block the download of malicious Active-X controls, block tracking cookies, and add known bad websites to the Restricted Zones list.
Obtain & use a good firewall. Firewalls are important in preventing direct attacks on your system as well as notifying you when you have malware trying to dial out. It looks like you have a firewall through Norton/Symantec. However if you don't have it set up, or don't want to use Symantec products, here are a few good free firewalls:
- Sygate
- ZoneAlarm (Not recommended for Win ME.)
- Kerio
AntiVirus I see you have Norton/Symantec installed. Please remember to check for updates often in order to stay protected. if you choose to rid yourself or Norton, here are some good free products:
Anti-Spyware Programs. You should consider downloading & using the following programs if you haven’t already. I have found for best results, a moderate internet user should use these at least once every two weeks.
- AdAware SE, including the VX2 plugin.
- Spybot Search & Destroy
- Javacool's SpywareGuard
- CleanUp!, to clean out those temp folders where spyware likes to hide.
Important: Please visit this site to learn how to configure & use the preceding programs. And remember to check for updates often!
Keep Windows Updated! Microsoft comes out with patches & security updates all the time. Please remember to visit this site often for updates, or better yet, configure your automatic update feature to do it for you.

If you have any further questions please feel free to ask, or post a new thread in the appropriate forum. Thanks for visiting TSF!

RavenMind

Note: Please respond to this post so that we can mark this thread as resolved.

michaelsubtonik · 10-26-2005, 07:19 PM

Hey Ravenmind,

thanks so much !

You have saved me from having to reinstall windows again ! : )

cheers

Michael

10-15-2005, 09:36 PM	#1 (permalink)
michaelsubtonik Registered User Join Date: Oct 2005 Posts: 6 OS: winXP	windows explorer crashes windows explorer crashes on boot up, even in safe mode. If I use the task manager to end process explorer.exe, I can launch applications and run them fine with the "new task" option... Im unsure what is causing explorer to crash everything. Help ! thanks : ) Michael Logfile of HijackThis v1.99.1 Scan saved at 1:11:17 PM, on 16/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\vsnpstd3.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\System32\imapi.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\devldr32.exe D:\anit virus stuff\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {93336822-F4C1-AF1D-E76D-F47A94E10EE5} - C:\WINDOWS\system32\ejk.dll (file missing) O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{07F31DF4-24AB-403F-9962-6E1F5FAE7D0B}: NameServer = 85.255.113.130,85.255.112.19 O17 - HKLM\System\CCS\Services\Tcpip\..\{A2B90886-2AA6-4501-B966-B7A22D9E0A44}: NameServer = 85.255.113.130,85.255.112.19 O17 - HKLM\System\CCS\Services\Tcpip\..\{AA7E4442-574D-46F1-9A0F-1B063193247E}: NameServer = 85.255.113.130,85.255.112.19 O17 - HKLM\System\CS1\Services\Tcpip\..\{07F31DF4-24AB-403F-9962-6E1F5FAE7D0B}: NameServer = 85.255.113.130,85.255.112.19 O20 - Winlogon Notify: style32 - c:\ms32.tmp O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

10-15-2005, 11:01 PM	#2 (permalink)
RavenMind Lazy Bum Join Date: Mar 2005 Location: Salt Lake Posts: 1,015 OS: XP Home SP3/Vista	Hi and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back to address your problem A.S.A.P. Please Subscribe to this thread, (Thread Tools->Subscribe to this Thread) so that you are notified when a reply has been made. Please be patient with me during this time. In the mean time, please download & run a scarn with AdAware SE Personal. Keep the default options, however, some of the settings will need to be changed before your first scan. Close ALL windows except Ad-Aware SE. Click on the ‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window: In the ‘General’ window make sure the following are selected in green: Under [Safety]: Automatically save log-file Automatically quarantine objects prior to removal Safe Mode (always request confirmation) Under [Definitions]: Prompt to update outdated definitions - set the [number of days] Click on the ‘Scanning’ button on the left and select in green: Under [Driver, Folders & Files]: Scan Within Archives Under Select drives & folders to scan: choose all hard drives Under [Memory & Registry]: all green Scan Active Processes Scan Registry Deep Scan Registry Scan my IE favorites for banned URL’s Scan my Hosts file Click on the [‘Advanced’] button on the left and select in green: Under [Shell Integration]: Move deleted files to recycle bin Under [Logfile Detail Level]: all green include addtional object information DESELECT - include negligible objects information include environment information Under [Alternate Data Streams]: Don't log streams smaller than 0 bytes Don't log ADS with the following names: [CA_INOCULATEIT] Click the ‘Tweak’ button and select in green: Under [Scanning Engine]: Unload recognized processes during scanning Scan registry for all users instead of current user only Under [Cleaning Engine]: Let Windows remove files in use at next reboot Under [Log Files]: Include basic Ad-aware SE settings in logfile Include additional Ad-aware SE settings in logfile Please do not Select: Include Module list in logfile Click on ‘Proceed’ to save the settings. Click ‘Start’ Choose 'Perform Full System Scan' DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window Right-click on the list and choose [Select All] Click the [Next] button to finish removing the items that were found When finished, REBOOT to complete the removal of what Ad-Aware SE found ----------------------------------------------------------------------- Next perform an online scan with Internet Explorer with Kaspersky WebScanner Next Click on Launch Kaspersky Anti-Virus Web Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Standard Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan ------------------------------------------------------------------------ Please reply back with the Kaspersky log, a fresh HJT log in Normal Mode, and anything AdAware fails to clean. Thanks, RavenMind Last edited by RavenMind; 10-15-2005 at 11:11 PM.

10-16-2005, 08:39 AM	#3 (permalink)
michaelsubtonik Registered User Join Date: Oct 2005 Posts: 6 OS: winXP	virus scanned and a new HJT scan Thanks for replying so quickly ! : ) The online scan took quite a while... but it finally made it through a full scan of my PC. Kaspersky found this : ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Monday, October 17, 2005 00:32:17 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 16/10/2005 Kaspersky Anti-Virus database records: 145074 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 106209 Number of viruses found: 3 Number of infected objects: 4 Number of suspicious objects: 0 Duration of the scan process: 13821 sec Infected Object Name - Virus Name C:\ms32.tmp Infected: Trojan-Downloader.Win32.Delf.h C:\System Volume Information\_restore{35AD59EB-21E3-4539-B284-06A52C1B5351}\RP74\A0008892.exe Infected: Trojan-Downloader.Win32.Delf.ks D:\System Volume Information\_restore{7FE14B5E-E530-4CF5-AC1D-0F35B5FFD583}\RP61\A0022250.exe Infected: Virus.Win32.Parite.b D:\System Volume Information\_restore{7FE14B5E-E530-4CF5-AC1D-0F35B5FFD583}\RP61\A0022251.exe Infected: Virus.Win32.Parite.b Scan process completed. After the scan I rescanned with HTJ. Logfile of HijackThis v1.99.1 Scan saved at 12:35:47 AM, on 17/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\vsnpstd3.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\devldr32.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\iexplore.exe D:\camera drivers\USBDriver\amcap.exe C:\WINDOWS\system32\NOTEPAD.EXE D:\anit virus stuff\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {93336822-F4C1-AF1D-E76D-F47A94E10EE5} - C:\WINDOWS\system32\ejk.dll (file missing) O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{07F31DF4-24AB-403F-9962-6E1F5FAE7D0B}: NameServer = 85.255.113.130,85.255.112.19 O17 - HKLM\System\CCS\Services\Tcpip\..\{A2B90886-2AA6-4501-B966-B7A22D9E0A44}: NameServer = 85.255.113.130,85.255.112.19 O17 - HKLM\System\CCS\Services\Tcpip\..\{AA7E4442-574D-46F1-9A0F-1B063193247E}: NameServer = 85.255.113.130,85.255.112.19 O17 - HKLM\System\CS1\Services\Tcpip\..\{07F31DF4-24AB-403F-9962-6E1F5FAE7D0B}: NameServer = 85.255.113.130,85.255.112.19 O20 - Winlogon Notify: style32 - c:\ms32.tmp O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe cheers Michael

10-25-2005, 02:44 PM	#9 (permalink)
RavenMind Lazy Bum Join Date: Mar 2005 Location: Salt Lake Posts: 1,015 OS: XP Home SP3/Vista	Congratulations, your log now appears clean! We have just a few more steps to go before we're finished. Reset Hidden & System Files/Folders. Click "Start" Open "My Computer" Select the "Tools" menu and click "Folder Options" Select the "View" tab Deselect the "Show hidden files and folders" option Select the "Hide file extensions for known types" option Select the "Hide protected operating system files" option Click "Yes" to confirm Click "OK" Clear Java Cache Click "Start" > "Settings" > "Control Panel" Click the "Java Plugin" icon Click the "Cache" tab Click the "Clear" button Click "OK" to confirm Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel Follow the instructions outlined here to clear Sun's Java cache. Flush System Restore Points Turn off System Restore: Right-click "My Computer" Click "Properties" Click the "System Restore" tab Check "Turn off System Restore" or "Turn off System Restore on all drives". Click "Apply" When turning off System Restore, the existing restore points will be deleted. Click "Yes" to proceed Click "OK" Reboot your System. Turn on System Restore Right-click "My Computer" Click "Properties" Click the "System Restore" tab Un-Check "Turn off System Restore" or "Turn off System Restore on all drives". Click "Apply" Click "OK" Note: It is very important to remember to turn system restore back on after reboot! If you do not, System Restore will remain deactivated & you will not have any previous points to restore back to should it become necessary to do so. Preventative Measures: Use an Alternative Browser. Most of the spyware/viruses/trojans out today target known flaws in I.E. Using an alternative browser closes most of those loopholes & you will find yourself getting far fewer (if any) infections. I'm a fan of FireFox for it's functionality, security, & low demand on system resources. Here are a few of the more popular alternative browsers: FireFox Opera Netscape Secure Internet Explorer. If you choose to stay with Internet Explorer, your likelihood of reinfection is much higher. Therefore you should follow these steps to help make I.E. more secure. Don't add sites to the "Trusted Zone". Ever. Download IESpyAd. This will add over 4000 known bad websites to the Restricted Zones list & help prevent you from being redirected to them. Download & install Javacool's SpywareBlaster. This program will help block the download of malicious Active-X controls, block tracking cookies, and add known bad websites to the Restricted Zones list. Obtain & use a good firewall. Firewalls are important in preventing direct attacks on your system as well as notifying you when you have malware trying to dial out. It looks like you have a firewall through Norton/Symantec. However if you don't have it set up, or don't want to use Symantec products, here are a few good free firewalls: Sygate ZoneAlarm (Not recommended for Win ME.) Kerio AntiVirus I see you have Norton/Symantec installed. Please remember to check for updates often in order to stay protected. if you choose to rid yourself or Norton, here are some good free products: Avast! AVG AntiVir Anti-Spyware Programs. You should consider downloading & using the following programs if you haven’t already. I have found for best results, a moderate internet user should use these at least once every two weeks. AdAware SE, including the VX2 plugin. Spybot Search & Destroy Javacool's SpywareGuard CleanUp!, to clean out those temp folders where spyware likes to hide. Important: Please visit this site to learn how to configure & use the preceding programs. And remember to check for updates often! Keep Windows Updated! Microsoft comes out with patches & security updates all the time. Please remember to visit this site often for updates, or better yet, configure your automatic update feature to do it for you. If you have any further questions please feel free to ask, or post a new thread in the appropriate forum. Thanks for visiting TSF! RavenMind Note: Please respond to this post so that we can mark this thread as resolved.

10-16-2005, 08:40 AM	#4 (permalink)
michaelsubtonik Registered User Join Date: Oct 2005 Posts: 6 OS: winXP	oh yeah I forgot to mention that adaware found nothing...

10-18-2005, 05:04 AM	#6 (permalink)
michaelsubtonik Registered User Join Date: Oct 2005 Posts: 6 OS: winXP	Hi there, the PC certainly seems to be a lot better. explorer is not crashing and I can navigate without the need for the task manager. I am using ADSL broadband. thanks ! : ) new HJT log and Jotti results below. HJT log Logfile of HijackThis v1.99.1 Scan saved at 8:59:03 PM, on 18/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe D:\anit virus stuff\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O20 - Winlogon Notify: style32 - c:\ms32.tmp (file missing) O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe jotti submission results File: wininet.dll Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 c0823fc5469663ba63e7db88f9919d70 Packers detected: - Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VBA32 Found nothing

10-20-2005, 10:51 AM	#7 (permalink)
RavenMind Lazy Bum Join Date: Mar 2005 Location: Salt Lake Posts: 1,015 OS: XP Home SP3/Vista	Hello michael. Glad to hear your system is running better! There's just one more entry that we need to take care of. Reboot into Safe Mode, & run a scan in HijackThis. Place a check mark next to the following entry: O20 - Winlogon Notify: style32 - c:\ms32.tmp (file missing) Please make sure to close all open windows & browsers, then click Fix Checked. Reboot into Normal Mode & post a fresh HJT log.

10-24-2005, 04:19 PM	#8 (permalink)
michaelsubtonik Registered User Join Date: Oct 2005 Posts: 6 OS: winXP	Hi there, thanks for waiting... :) Here is a fresh HJT log after reboot and clean in safe mode : cheers Michael Logfile of HijackThis v1.99.1 Scan saved at 8:15:36 AM, on 25/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\devldr32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\wuauclt.exe D:\anit virus stuff\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

10-26-2005, 07:19 PM	#10 (permalink)
michaelsubtonik Registered User Join Date: Oct 2005 Posts: 6 OS: winXP	Hey Ravenmind, thanks so much ! You have saved me from having to reinstall windows again ! : ) cheers Michael