Tech Support banner

Status
Not open for further replies.
1 - 3 of 3 Posts

·
Registered
Joined
·
7 Posts
Discussion Starter #1
Logfile of HijackThis v1.99.1
Scan saved at 4:36:42 PM, on 9/29/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\winnt\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\System32\tcpsvcs.exe
C:\winnt\System32\snmp.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\winnt\explorer.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
E:\Virus Removal tool\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125297332901
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_Detective_v43_Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CA4616B-EC91-4169-ACF6-BB512578D213}: NameServer = 202.138.97.193 202.138.96.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{A36DE2D3-E866-4C65-ADFD-050525BC6F52}: NameServer = 202.160.0.7,202.160.0.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CA4616B-EC91-4169-ACF6-BB512578D213}: NameServer = 202.138.97.193 202.138.96.2
O23 - Service: 07353 - Unknown owner - \\220.224.29.202\Admin$\system32\eraseme_16076.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\winnt\System32\dmadmin.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: spool - Unknown owner - C:\winnt\spoollv.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 

·
Registered
Joined
·
94 Posts
Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient with me during this time.
 

·
Registered
Joined
·
94 Posts
Hi s_a_ansari,

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Do you know what this entry is? "O23 - Service: 07353 - Unknown owner - \\220.224.29.202\Admin$\system32\eraseme_16076.exe (file missing)"

What exactly do you mean in your thread title "HijackThis Log File PN infected with Virus" ?

Please download Adaware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this Site to get the plug-in for fixing VX2 variants.
Also make sure to Customize the settings in Adaware for better scan results. Run the scan and fix everything that it finds.

Download Spybot. Install the program, update the definitions file and run a scan. Fix all the entries, which are indicated in RED.

Download CWShredder. Check for Update then click Fix (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - spool
Double-click on it to open the Properties dialog.
Stop the service by using the Stop button.
Change the Startup type to Disabled & then click on the OK button

Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, copy and paste spool into it & then click on the OK button

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O23 - Service: spool - Unknown owner - C:\winnt\spoollv.exe (file missing)


Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\winnt\spoollv.exe

Reboot your system in Normal Mode.

Perform an online scan with Internet Explorer with Panda ActiveScan

  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveXcontrols
Begin the scan by selecting My Computer

  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply along with a new HJT log

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


In your next reply please post the contents of the Panda report, as well as a fresh Hijack This log so that we can check if your system is clean.
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top