|
WE HAVE MOVED. Please see our NEW Computer Forums |
11-25-2009: Sorry for the inconvenience. We finally upgraded to vBulletin 3 !! See you there, Larry Help would be very much appreciated!Go to the Tech-Forums Discussion Home PagePosted by: Peter1064 Hi, I have been asked to check a friends PC after his ISP contacted him saying that his PC was causing problems on the network. There appear to be all sorts of problems with it including Regedit locked out, Control-alt-delete does not work (taskmanager window closes immediately - renaming taskmanager has no effect) anti-virus programs dont run. I eventually managed to get HijackThis running by hitting the 'R' key and beating the malware to closing the window. Logfile of HijackThis v1.99.1 Scan saved at 6:06:32 PM, on 5/2/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\mcsv.com C:\WINDOWS\Explorer.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\WINDOWS\system32\PCsync.exe C:\WINDOWS\system32\hotkeysvc.exe C:\WINDOWS\system32\TASKMAN4.EXE C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\TASKMAN4.EXE C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\system32\wuauclt.exe c:\recycler\wik.exe C:\Documents and Settings\Dad\Desktop\HijackThis.exe c:\recycler\wik.exe C:\Program Files\Internet Explorer\iexplore.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.manx.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mcsv.com O1 - Hosts: 212.58.240.33 www.symantec.com O1 - Hosts: 212.58.240.33 www.sophos.com O1 - Hosts: 212.58.240.33 www.mcafee.com O1 - Hosts: 212.58.240.33 www.viruslist.com O1 - Hosts: 212.58.240.33 www.f-secure.com O1 - Hosts: 212.58.240.33 www.avp.com O1 - Hosts: 212.58.240.33 www.kaspersky.com O1 - Hosts: 212.58.240.33 www.networkassociates.com O1 - Hosts: 212.58.240.33 www.ca.com O1 - Hosts: 212.58.240.33 www.my-etrust.com O1 - Hosts: 212.58.240.33 www.nai.com O1 - Hosts: 212.58.240.33 www.trendmicro.com O1 - Hosts: 212.58.240.33 www.grisoft.com O1 - Hosts: 212.58.240.33 securityresponse.symantec.com O1 - Hosts: 212.58.240.33 symantec.com O1 - Hosts: 212.58.240.33 sophos.com O1 - Hosts: 212.58.240.33 mcafee.com O1 - Hosts: 212.58.240.33 liveupdate.symantecliveupdate.com O1 - Hosts: 212.58.240.33 viruslist.com O1 - Hosts: 212.58.240.33 f-secure.com O1 - Hosts: 212.58.240.33 kaspersky.com O1 - Hosts: 212.58.240.33 kaspersky-labs.com O1 - Hosts: 212.58.240.33 avp.com O1 - Hosts: 212.58.240.33 networkassociates.com O1 - Hosts: 212.58.240.33 ca.com O1 - Hosts: 212.58.240.33 mast.mcafee.com O1 - Hosts: 212.58.240.33 my-etrust.com O1 - Hosts: 212.58.240.33 download.mcafee.com O1 - Hosts: 212.58.240.33 dispatch.mcafee.com O1 - Hosts: 212.58.240.33 secure.nai.com O1 - Hosts: 212.58.240.33 nai.com O1 - Hosts: 212.58.240.33 update.symantec.com O1 - Hosts: 212.58.240.33 updates.symantec.com O1 - Hosts: 212.58.240.33 us.mcafee.com O1 - Hosts: 212.58.240.33 liveupdate.symantec.com O1 - Hosts: 212.58.240.33 customer.symantec.com O1 - Hosts: 212.58.240.33 rads.mcafee.com O1 - Hosts: 212.58.240.33 trendmicro.com O1 - Hosts: 212.58.240.33 grisoft.com O1 - Hosts: 212.58.240.33 sandbox.norman.no O1 - Hosts: 212.58.240.33 www.pandasoftware.com O1 - Hosts: 212.58.240.33 uk.trendmicro-europe.com O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [PcSync] PCsync.exe O4 - HKLM\..\Run: [CTHelper] cthelper.exe O4 - HKLM\..\Run: [CPQHotkeys] hotkeysvc.exe O4 - HKLM\..\Run: [Microsoft Update Machine] TASKMAN4.EXE O4 - HKLM\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe O4 - HKLM\..\Run: [SDAv] C:\WINDOWS\svhost.exe O4 - HKLM\..\RunServices: [CPQHotkeys] hotkeysvc.exe O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe O4 - HKLM\..\RunServices: [PcSync] PCsync.exe O4 - HKLM\..\RunServices: [Microsoft Update Machine] TASKMAN4.EXE O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [PcSync] PCsync.exe O4 - HKCU\..\Run: [CTHelper] cthelper.exe O4 - HKCU\..\Run: [CPQHotkeys] hotkeysvc.exe O4 - HKCU\..\Run: [Microsoft Update Machine] TASKMAN4.EXE O4 - HKCU\..\Run: [SDAv] C:\WINDOWS\svhost.exe O4 - HKCU\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe O4 - HKCU\..\RunServices: [PcSync] PCsync.exe O4 - HKCU\..\RunServices: [CPQHotkeys] hotkeysvc.exe O4 - Startup: PC Health Plan.lnk = C:\Program Files\PC Health Plan\PC Health Plan.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c6.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6F50F205-9160-4F55-8448-3F138B1E5CBF}: NameServer = 195.10.102.11 195.10.102.12 O20 - AppInit_DLLs: C:\Program Files\Stardock\Object Desktop\WindowBlinds\skincast\ O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing) Thanks for any help in advance. Pete Posted by: Lobos Hi Peter Welcome to Tech Forums Download, unzip to your desktop [url=http://www.intermute.com/spysubtract/cwshredder_download.html]CWShredder[/url] and run it, then: 1. Click "[b][i]Check For Update[/i][/b]" make sure your version is 2.14 ([i]If an update isn't available, skip to step #4.[/i]) 2. Click "[b][i]Click here to Download the upate[/i][/b]". 3. When the new version has been downloaded, click "[b][i]Save[/i][/b]". 4. Click "[b][i]Fix ->[/i][/b]" =============== Let's look for, and delete, any program segments([i]prefetches[/i]) that might be present, and are associated with the '[i]problems[/i]' we're trying to remove from this system. To do this, let's: 1) Click "[b][i]Start | Search[/i][/b]", then search for each of these program's [i]base name(s)[/i], in all files and folders: [b][color=#ff0000]mcsv.com*[/color][/b] [b][color=#ff0000]hotkeysvc.exe*[/color][/b] [b][color=#ff0000]TASKMAN4.EXE*[/color][/b] [b][color=#ff0000]wik.exe*[/color][/b] 2) Then if any are found in the '[i]prefetch[/i]' folder, delete them. Look closely, since the '[i]base[/i]' name will have a bunch of random numbers and letters attached to it. =============== Go to [b]Add/Remove programs[/b] and remove(uninstall) the following, if present: [b][color=#ff0000]EBates MoeMoney[/color][/b] The above could appear anywhere within the entry. Be careful not to remove any [i]personal[/i] or [i]system[/i] software. =============== Next, Open a [b]command prompt[/b] by: 1. Clicking "[b]Start[/b]", then "[b]Run...[/b]". 2. Enter "[b]cmd[/b]" ([i]without the quotes[/i]). 3. Enter "[b]services.msc[/b]" ([i]without the quotes[/i]). - Now, locate and '[b][i]stop[/i][/b]' the following services, if present: [b][color=#ff0000]CPQHotkeys[/color][/b] ... ([b][i]hotkeysvc.exe[/i][/b]) [b][color=#ff0000]Microsoft Update Machine[/color][/b] ... ([b][i]TASKMAN4.EXE[/i][/b]) Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. =============== Run [b]HiJackThis[/b] then: 1. Click "[b][i]Config...[/i][/b]" 2. Click "[b][i]Misc Tools[/i][/b]" 3. Click "[b][i]Open Process manager[/i][/b]" - Next, while holding down the [b]CTRL[/b] key, locate ([i]if present[/i]) and click on ([i]highlight[/i]) each of the following: [b][color=#000000]C:\WINDOWS\system32\[/color][color=#ff0000]mcsv.com[/color][/b] [b][color=#000000]C:\WINDOWS\system32\[/color][color=#ff0000]hotkeysvc.exe[/color][/b] [b][color=#000000]C:\WINDOWS\system32\[/color][color=#ff0000]TASKMAN4.EXE[/color][/b] [b][color=#000000]c:\recycler\[/color][color=#ff0000]wik.exe[/color][/b] Now double-check and make sure that only those item(s) above are highlighted, then click "[b][i]Kill process[/i][/b]". Now, click "[b][i]Refresh[/i][/b]", check again, and repeat this step if any remain. =============== Run [b]HiJackThis[/b] and click "[b][i]Scan[/i][/b]", then check(tick) the following, if present: [color=#9933cc][b] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://www.websearch.com/ie.aspx?tb_id=50245[/url] [/b][/color] [color=#9933cc][b] R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) [/b][/color] [color=#9933cc][b] F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mcsv.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 [url]www.symantec.com[/url] [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 [url]www.sophos.com[/url] [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 [url]www.mcafee.com[/url] [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 [url]www.viruslist.com[/url] [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 [url]www.f-secure.com[/url] [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 [url]www.avp.com[/url] [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 [url]www.kaspersky.com[/url] [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 [url]www.networkassociates.com[/url] [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 [url]www.ca.com[/url] [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 [url]www.my-etrust.com[/url] [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 [url]www.nai.com[/url] [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 [url]www.trendmicro.com[/url] [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 [url]www.grisoft.com[/url] [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 symantec.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 sophos.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 mcafee.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 liveupdate.symantecliveupdate.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 viruslist.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 f-secure.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 kaspersky.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 kaspersky-labs.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 avp.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 networkassociates.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 ca.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 mast.mcafee.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 my-etrust.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 download.mcafee.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 dispatch.mcafee.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 secure.nai.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 nai.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 update.symantec.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 updates.symantec.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 us.mcafee.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 liveupdate.symantec.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 customer.symantec.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 rads.mcafee.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 trendmicro.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 grisoft.com [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 sandbox.norman.no [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 [url]www.pandasoftware.com[/url] [/b][/color] [color=#9933cc][b] O1 - Hosts: 212.58.240.33 uk.trendmicro-europe.com [/b][/color] [color=#9933cc][b] O4 - HKLM\..\Run: [CPQHotkeys] hotkeysvc.exe [/b][/color] [color=#9933cc][b] O4 - HKLM\..\Run: [Microsoft Update Machine] TASKMAN4.EXE [/b][/color] [color=#9933cc][b] O4 - HKLM\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe [/b][/color] [color=#9933cc][b] O4 - HKLM\..\Run: [SDAv] C:\WINDOWS\svhost.exe [/b][/color] [color=#9933cc][b] O4 - HKLM\..\RunServices: [CPQHotkeys] hotkeysvc.exe [/b][/color] [color=#9933cc][b] O4 - HKLM\..\RunServices: [Microsoft Update Machine] TASKMAN4.EXE [/b][/color] [color=#9933cc][b] O4 - HKCU\..\Run: [CPQHotkeys] hotkeysvc.exe [/b][/color] [color=#9933cc][b] O4 - HKCU\..\Run: [Microsoft Update Machine] TASKMAN4.EXE [/b][/color] [color=#9933cc][b] O4 - HKCU\..\Run: [SDAv] C:\WINDOWS\svhost.exe [/b][/color] [color=#9933cc][b] O4 - HKCU\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe [/b][/color] [color=#9933cc][b] O4 - HKCU\..\RunServices: [CPQHotkeys] hotkeysvc.exe [/b][/color] [color=#9933cc][b] O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm [/b][/color] [color=#9933cc][b] O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU) [/b][/color] [color=#9933cc][b] O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - [url]http://static.windupdates.com/cab/CDT/ie/bridge-c6.cab[/url] [/b][/color] [color=#9933cc][b] O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - [url]http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab[/url] [/b][/color] [color=#9933cc][b] O17 - HKLM\System\CCS\Services\Tcpip\..\{6F50F205-9160-4F55-8448-3F138B1E5CBF}: NameServer = 195.10.102.11 195.10.102.12 [/b][/color] ...([i]Verify that these ip addresses are for your isp's DNS Servers, if so, don't 'fix' these.[/i]) [color=#9933cc][b] O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing) [/b][/color] Now, with all windows closed except [b]HiJackThis[/b], click "[b][i]Fix checked[/i][/b]". =============== Locate and [color=#ff0000][i]delete the following item(s)[/i][/color], if present. Make sure your able to view system and hidden files/ folders: [i]files...[/i] [b]C:\WINDOWS\[color=#ff0000]svhost.exe[/color][/b] [b]C:\WINDOWS\system32\[color=#ff0000]hotkeysvc.exe[/color][/b] [b]C:\WINDOWS\system32\[color=#ff0000]TASKMAN4.EXE[/color][/b] [b]C:\WINDOWS\system32\[color=#ff0000]csnss.exe[/color][/b] [b]C:\WINDOWS\system32\[color=#ff0000]mcsv.com[/color][/b] Empty recycle bin Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '[i]in use[/i]', try deleting them from "[url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam]Safe Mode[/url]". =============== Post back a new log, and let me know how everything goes. - Lobos. Posted by: Peter1064 Lobos, Thanks for your reply. I will have a go hopefully tonight. Unfortunately though, the command prompt has also been disabled. The only process manager I can access is the one in HijackThis. So I may have to skip the command prompt step. Also, I had a CD of anti-virus utilities with me (including CWShredder). When I put this in the drive and opened it, the malware closed the window immediately! I am hoping that it will let me d/l CWShredder. (I'll take a copy on a floppy too.) I'll keep you posted. Pete Posted by: Peter1064 Lobos, I carried out your instructions and now the PC is working fine. Now it allows me to run anti-virus software. I ran ad-aware which found literally hundreds of items. Then, AVG found 110 infected files, with quite a diversity of virii, dialers, worms etc. I would like to take this opportunity to thank you for your help and, as requested, I have posted another log. C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Documents and Settings\Dad\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.manx.net/[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.meshcomputers.com[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [PcSync] PCsync.exe O4 - HKLM\..\Run: [CTHelper] cthelper.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe O4 - HKLM\..\RunServices: [PcSync] PCsync.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [CTHelper] cthelper.exe O4 - HKCU\..\Run: [PcSync] PCsync.exe O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe O4 - HKCU\..\RunServices: [PcSync] PCsync.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url] O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab[/url] O17 - HKLM\System\CCS\Services\Tcpip\..\{6F50F205-9160-4F55-8448-3F138B1E5CBF}: NameServer = 195.10.102.11 195.10.102.12 O20 - AppInit_DLLs: C:\Program Files\Stardock\Object Desktop\WindowBlinds\skincast\ O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) -- Peter Posted by: Lobos no problem but if you could post the whole log your missing the top part of it it will help me make sure nothinbg is bad in your log Posted by: Peter1064 Sorry about that. Logfile of HijackThis v1.99.1 Scan saved at 7:13:09 PM, on 5/3/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Documents and Settings\Dad\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.manx.net/[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.meshcomputers.com[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [PcSync] PCsync.exe O4 - HKLM\..\Run: [CTHelper] cthelper.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe O4 - HKLM\..\RunServices: [PcSync] PCsync.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [CTHelper] cthelper.exe O4 - HKCU\..\Run: [PcSync] PCsync.exe O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe O4 - HKCU\..\RunServices: [PcSync] PCsync.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url] O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab[/url] O17 - HKLM\System\CCS\Services\Tcpip\..\{6F50F205-9160-4F55-8448-3F138B1E5CBF}: NameServer = 195.10.102.11 195.10.102.12 O20 - AppInit_DLLs: C:\Program Files\Stardock\Object Desktop\WindowBlinds\skincast\ O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) Regards Peter Posted by: Lobos could you do a search for this file [b]cthelper.exe[/b] and upload it here [url]http://virusscan.jotti.org/[/url] and let me know what it says Lobos Posted by: Peter1064 Lobos, I cant find the file on the system. Windows search seems to get stuck in the windows\printers & faxes folder so I dropped onto the command prompt and did a dir /s with no results found. Peter Posted by: Lobos sorry you may need to show hidden files and folders Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Posted by: Warez Monster Remove entries at your own risk O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/...all/xscan53.cab[/url] This entry is possibly nasty. Should be fixed. O17 - HKLM\System\CCS\Services\Tcpip\..\{6F50F205-9160-4F55-8448-3F138B1E5CBF}: NameServer = 195.10.102.11 195.10.102.12 If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain '195.10.102.11 195.10.102.12'? If not, fix this O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it. This service () was identified as a good one. Unnecessary (deactivated) entry that can be fixed Please Visit the Online Configurator, Email Hosting, Internet Marketing , Computer Schools , Software for Real Estate , AAOutlook , Search Engine Site |