5
Contributors
9
Replies
10
Views
13 Years
Discussion Span
Last Post by crunchie
0

To hard to read that log ,run hijack ,the scan button will turn into a save log button , save the log ,and notepad will open up click save and just copy paste that log directly into you post .

0

i have previously fixed :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FOILLT~1\LOKALE~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\FOILLT~1\LOKALE~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\FOILLT~1\LOKALE~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\FOILLT~1\LOKALE~1\Temp\sp.html

and

O2 - BHO: (no name) - {2545E3AB-050A-48EB-8B3F-FF2CEADB2172} - (no file)

so they are in quarantine now....

under the hijackthis log you'll find the current running processes

here is my log :

Logfile of HijackThis v1.97.7
Scan saved at 15:36:44, on 16.08.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\sstray.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\NetLimiter 1.30\NetLimiter.exe
C:\Programfiler\Java\j2re1.4.2_05\bin\jusched.exe
C:\Programfiler\D-Tools 3.46\daemon.exe
C:\Programfiler\Winamp 2.91\Winampa.exe
C:\Programfiler\Fellesfiler\Logitech\QCDriver3\LVCOMS.EXE
C:\Programfiler\Logitech\ImageStudio\LogiTray.exe
C:\Programfiler\Logitech\ImageStudio\LowLight.exe
C:\Programfiler\QuickTime\qttask.exe
C:\PROGRA~1\REGIST~1.3\RCrawler.exe
C:\Programfiler\CloneCD 4.2.0.2\CloneCDTray.exe
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\Spy Sweeper\SpySweeper.exe
C:\Programfiler\Common\Bin\WinCinemaMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\HDD Temperature Pro 1.1\HDDTsvc.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\Programfiler\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\Programfiler\Norton AntiVirus\SAVScan.exe
C:\Programfiler\Opera 7.51\opera.exe
C:\Programfiler\VNC 4.0\vncviewer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\Programmer\HijackThis 1.97.7.exe
C:\Programfiler\Messenger\msmsgs.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.3\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NetLimiter] C:\Programfiler\NetLimiter 1.30\NetLimiter.exe /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools 3.46\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programfiler\Winamp 2.91\Winampa.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Programfiler\Fellesfiler\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Programfiler\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Programfiler\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\REGIST~1.3\RCrawler.exe -TRAYONLY
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programfiler\CloneCD 4.2.0.2\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programfiler\CloneCD 4.2.0.2\CloneCDTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cache] C:\Documents and Settings\Dohmann\qcache.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Programfiler\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: HDD Temperature Pro.lnk = C:\Programfiler\HDD Temperature Pro 1.1\HDDTemperaturePro.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programfiler\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

These are the Current Active Services:

ATI HOTKEY POLLER: Ati HotKey Poller
C:\WINDOWS\System32\Ati2evxx.exe

WINDOWS AUDIO: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

COMPUTER BROWSER: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

CRYPTOGRAPHIC SERVICES: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP CLIENT: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

LOGICAL DISK MANAGER: dmserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

ERROR REPORTING SERVICE: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+-HENDELSESSYSTEM: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

FAST USER SWITCHING COMPATIBILITY: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

HELP AND SUPPORT: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

SERVER: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

WORKSTATION: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

NETWORK CONNECTIONS: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

NETWORK LOCATION AWARENESS (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

PLUG AND PLAY SVC SERVICE: pnpsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

TASK SCHEDULER: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

SECONDARY LOGON: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

SYSTEM EVENT NOTIFICATION: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

SHELL HARDWARE DETECTION: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

TERMINAL SERVICES: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

THEMES: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

DISTRIBUTED LINK TRACKING CLIENT: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

UPLOAD MANAGER: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

WINDOWS TIME: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

WINDOWS MANAGEMENT INSTRUMENTATION: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

PORTABLE MEDIA SERIAL NUMBER: WmdmPmSp
C:\WINDOWS\System32\svchost.exe -k netsvcs

AUTOMATISKE OPPDATERINGER: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

WIRELESS ZERO CONFIGURATION: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

SYMANTEC EVENT MANAGER: ccEvtMgr
"C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe"

SYMANTEC SETTINGS MANAGER: ccSetMgr
"C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe"

DNS CLIENT: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

EVENT LOG: Eventlog
C:\WINDOWS\system32\services.exe

PLUG AND PLAY: PlugPlay
C:\WINDOWS\system32\services.exe

HDD TEMPERATURE: HDDTService
C:\Programfiler\HDD Temperature Pro 1.1\HDDTsvc.exe /startedbyscm:916B11C7-40E287F3-HDDTService

TCP/IP NETBIOS HELPER: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

REMOTE REGISTRY: RemoteRegistry
C:\WINDOWS\system32\svchost.exe -k LocalService

SSDP DISCOVERY SERVICE: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

WEBCLIENT: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

NORTON ANTIVIRUS AUTO PROTECT SERVICE: navapsvc
"C:\Programfiler\Norton AntiVirus\navapsvc.exe"

NORTON UNERASE PROTECTION: NProtectService
C:\Programfiler\Norton AntiVirus\AdvTools\NPROTECT.EXE

IPSEC SERVICES: PolicyAgent
C:\WINDOWS\System32\lsass.exe

PROTECTED STORAGE: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

SECURITY ACCOUNTS MANAGER: SamSs
C:\WINDOWS\system32\lsass.exe

REMOTE PROCEDURE CALL (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

SAVSCAN: SAVScan
C:\Programfiler\Norton AntiVirus\SAVScan.exe

PRINT SPOOLER: Spooler
C:\WINDOWS\system32\spoolsv.exe

WINDOWS IMAGE ACQUISITION (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc

SYMANTEC CORE LC: Symantec Core LC
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe

0

Are you running 386MAX Disk-Cache utility (Qcache.exe) or is this one the virus one? I can't find reliable information about removal if it's the virus. No doubt Crunchie knows tho ;)

0

Hi. First of all you need to update hijackthis to version 1.98.2. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by deleting the file manually. Unzip the new version into the hijackthis folder.

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

0

Hi. First of all you need to update hijackthis to version 1.98.2. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by deleting the file manually. Unzip the new version into the hijackthis folder.

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

im not sure how...but i think i fixed it ;). i laid in som registry changes..

0

Hi Guys,
I have the same problem that Foilltank had previously. I am a beginer to this sort of stuff and i realy dont know how to fix it. I am going mad... Could you please give me an explanation in basic, baby english on how i can get rid of this crap..

I would realy appreciate it.
Thanks..

0

Hi Guys,
I have the same problem that Foilltank had previously. I am a beginer to this sort of stuff and i realy dont know how to fix it. I am going mad... Could you please give me an explanation in basic, baby english on how i can get rid of this crap..

I would realy appreciate it.
Thanks..

First up you will need to start your own thread & not tag on to the end of another member's :).

Download & instal Adaware from here
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Always try to unload Modules before deletion' & 'let Windows remove files in use at next reboot.'
Select 'activate in-depth scan' before starting scan.
When the scan is finished select 'next.'
Remove what it finds by placing a check in the box to the left of the object. Reboot

Download & instal Spybot S&D from here. Update it before scanning.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. This program will prevent the install of bad activex controls that it has knowledge of. Download that & you can keep it updated by selecting the same link that you use to download it. Reboot

Download HijackThis from here & unzip it into it's own, permanent folder, (Not a temporary folder or the desktop (in a folder on the desktop is fine) & not directly on your hard drive). If you prefer an executable file, then download from here.
If you have anything disabled in MsConfig, please re-enable it/them.
Start HJT & with all browser windows closed, press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.