Posts by 'Stein

Alrite, I kinda read ure HJT log (I really dont kno if ya should do it or not, seing that im new at reading HJT logs...)
But, I THINK i've found some bad stuff:

O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\gpn0l35m1.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Y2hpaC1waW4gSHN1\command.exe (file missing)

Now, I dont even trust myself too much, so i dunno if ya wanna fix um or not.... I'd wait until someone better looks at it.

In addition, I cross checked ure HJT log on an online analyzer, and it found the same things i did, just to let ya kno.

could ya post a HJT log please?

first post ure HJT log, then we'll work from there

according to some other forums, this might work, but for all i kno its more spyware....so mabe ya should wait until somebody smarter posts, but ya, ya might wanna try this if ure desperate

http://www.bestoffersnetworks.com/uninstall/

Are ya able to scan with antivirus?
If so, what have ya tried?

Does it let ya update software..ie update ad-aware definitions?

Damn....I tried it with the firewall/antivirus disabled and it workd :o

..sorry bout that...

Again on my bro's computer....whenever he tries to install a legit game from a website, it downloads, but whenever he tries to click on the icon to install, it pops up with a box that reads "this application could not open because you do not have a WIN32 application."

This isn't really my specialty, so therefore I posted here. Thanks again for results.

Alrite, again, thanks a ton DMR. The 'lsass.exe' sorta freaked me out, so I guess I reacted sorta quickly. Again, I appreciate the help

First off, ya gotta understand that I read in full thru most of these posts, and I've come to a realization: DMR is the solution to mostly all of the problems in here. Yes, I realize that this should be posted in another location, but then its true impact wouldn't been seen. Also, I realze there are many other helpers in here, but I feel DMR has solved most of the problems in this room.

Tell me what ya think... :cool:

Sry...my bro's a dumb piece...he used a P2P and downloaded several viruses hidden in another folder. Norton Antivirus caught 1. However, when I tried to delete the folder from the desktop, it told me it was in use. This freaked me out, so i went and checked processes. I THINK I saw sass but I'm unsure... :sad: Also if ya see any other spyware/malware/virui on there could ya tell me?

help?

Here's the HJT log::

Logfile of HijackThis v1.99.1
Scan saved at 10:56:26 PM, on 1/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
…

Yep, all's well. Thanks dude, 'preciate it

Alrite I did what ya told me to do, and so far so good I guess..

---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:          10:09:44 PM, 1/11/2006
 + Report-Checksum:     F2CDAAA1

 + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
    HKLM\SOFTWARE\Classes\MediaPass.Installer -> Spyware.WinAd : Cleaned with backup
    HKLM\SOFTWARE\Classes\MediaPass.Installer\CurVer -> Spyware.WinAd : Cleaned with backup
    :mozilla.7:C:\Documents and Settings\jhay2\Application Data\Mozilla\Firefox\Profiles\lam9lpt7.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 10:31:12 PM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1118936981\ee\AOLSoftware.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AMERIC~1.0A\waol.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\common files\aol\1118936981\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
c:\program files\common files\aol\1118936981\ee\aolsoftware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\AMERIC~1.0A\shellmon.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome[/url] …

Wow,, after running the Spybot System Internals search for registry inconsistencies, i found that jake.scr and Secure Shield (i believe another spyware) came up as "startup file does not exist. I didn't repair them because I'm unsure how good it would be for me to do so.

However, these and more were found in the "system startup' section of Spybot. In addition, it mentioned that "C:\WINDOWS\System32\ctfmon.exe" is spyware. Yes...No? ;)

Ah well,, i'd like to thank ya ahead of time for looking over my HJT.

Alrite I did what ya told me to,,, heres the HJT results::

Logfile of HijackThis v1.99.1
Scan saved at 1:31:26 PM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1118936981\ee\AOLSoftware.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\common files\aol\1118936981\ee\aolsoftware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\msiexec.exe
c:\program files\common files\aol\1118936981\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
c:\program files\common files\aol\1118936981\ee\ComputerCheckup.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = …

so in other words are ya sayin ya cant establish a secure connection?

sry, but your explanations are too vague. try to be more specific.

Im sure crunchie's covered it, but WeatherBug is spyware/adware and significantly slows da computer. And also it doesnt always uninstall like its supposed to. take it out and see how ure computer turns out.

Basically, ure gonna go change the code written by Microsoft, and its easier then ya think. Basically like editing a Word document.

several things then,,

first off, did it say where the files were located? If so, thats amazing. I'd try safe mode and attempt to delete them.

if it didnt say where theyre located, i better leave the issue to someone who knows more about hijackthis...

hmm, did ya buy from a dealer,, or did ya assemble ureself?

Also, use this guy's advice,, it worked EXTREMELY well for me:

www.daniweb.com/techtalkforums/thread27570.html

cancel that, I just looked and see that ya already have it

my bad

question tho,, are ya ever getting the blue screen of death?

Altough it costs money, I'd reccomend buying Norton Interent Security

1) it's bundled with Norton Anti-virus, which is one of the better scanners on the market. Ive used Norton for many years now, and its caught every virus ive had, and in almost every case, deleted automatically. In the 1 case where it didnt, it showed me the location of the virus, and then I just had to delete manually

hope this helps

Blackice is also supposedly rated pretty well

Also, if ya wanna spend some money, Norton Interet Securty works pretty efficiently...and comes bundled with Norton Anti-Virus...one of the better anti-virus programs on the market.

lastly, a hardware firewall might not be that bad of an idea...

I would believe you have spyware on youre computer that causes this. Have ya tried running anti-virus & anti-spyware on it? If so, it shouldve caught it. DONT download what the website is advertising, its most likely spyware itself.

Reccomendations:: Microsoft Antispyware Beta (I have it, and suprisingly, it works pretty well) its found at the microsoft website, and is free

SpyBot: Sorta more for advanced users, i use it too,, works well
free,, its found at download.com

for antivirus software, i have Norton, which costs money

Logfile of HijackThis v1.99.1
Scan saved at 3:06:17 PM, on 1/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Common Files\AOL\1118936981\ee\aolsoftware.exe
c:\program files\common files\aol\1118936981\ee\aolsoftware.exe
c:\program files\common files\aol\1118936981\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
…

I'm having a problem with a start up program titled 'jake.scr' I know it's spyware/malware because I accidently dl-ed it, and it caused AIM spamming. I somehow disabled it, and the only place I can find it now is in the startup registry in msconfig.

Title: jake
Command: jake.scr
Location: SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Also, another one of the programs listed has no title nor a command. In the spaces for it, its blank. The only thing I know about it is:

Location: SOFRWARE\Microsoft\Windows\CurrentVersion\Run

I would greatly appreciate help with this. I am kinda new at computer stuff.

Thanks

If a hijackThis log is needed, post and Ill post it .