Forums

Kashima Wrote:Google search hijack this and then go to their part of the website where you copy and paste the log. I had a similar problem to that a few months ago. One deleting the user profile does not help because the desktop hijacker could be attatched to something you save and carry over to the new one. Two spyware and virus scans dont find it . Three it can corrupt your operating system overtime because it did so with mine

Yes, if something is installed in the windows folder or in an area where all profiles can access, deleting the profile is pointless.

Faulkie, Just a warning, ask for help before trying to do anything with programs like Hijack This etc. If you mess up, you could delete registry keys that are actually important.

Ok, I'm not gonna do anything just yet. Everyone's telling me to do different things. Deleting the user profile won't work, right? So could someone tell me the best thing to do? Thanks.

Quote:Google search hijack this and then go to their part of the website where you copy and paste the log

Quote:Download "Hijackthis" run it and post the log here

*cough*trytheabove*cough*

Ok, gotcha.

This is the scan from this new profile. If there's nothing weird there it didn't spread to this one, right?

Logfile of HijackThis v1.99.1
Scan saved at 11:54:58 PM, on 8/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Block Checker\block-checker.exe
C:\program files\zango\zango.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Your Mother\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
F2 - REGystem.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: System Process - {C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB} - C:\WINDOWS\System32\navshext.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ac16059d153] C:\WINDOWS\System32\ac16059d153.exe
O4 - HKLM\..\Run: [BlockChecker] C:\Program Files\Block Checker\block-checker.exe
O4 - HKLM\..\Run: [mozilla-text] hyandex.exe
O4 - HKLM\..\Run: [runload32] KeywordFinder.exe
O4 - HKLM\..\Run: [zango] c:\program files\zango\zango.exe
O4 - HKCU\..\Run: [ac16059d153] C:\WINDOWS\System32\ac16059d153.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [SpyElim] WhatsNewBot.exe
O4 - HKCU\..\Run: [xwiz] Bogobot.exe
O4 - HKCU\..\Run: [backd] UserSp1.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {10000000-1000-0000-0000-000000000000} - file://C:\\Recycler\\Q678341.exe
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.83/users/sale/web/axe/...update.exe
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/mi...Loader.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers...taller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMes...loader.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1953.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{690A5DBD-7F36-423B-B12A-1259174DD7B3}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{C44D9D9D-E048-4E4D-8820-A46F48A71E03}: NameServer = 69.50.176.158,85.255.112.8
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

zango.exe : 180Solutions/N-Case adware variant

From above URL Wrote:Removal

nCase/msbb and rnd may include two uninstallers (if any), named ‘Insterstitial ad delivery by n-Case’ and ‘PAD lookups by n-Case’. Both have to be used before the software is removed; both require internet access and simply attempt to download further uninstallers which also require internet access, and sometimes still don’t work. Manual removal will probably be faster than this rigmarole.

The other variants have at most one installer, ‘Uninstall 180Search Assistant’ or ‘Zango’. This also requires internet access, and requires several stages of confirmation pages fetched from 180solutions’s site, but does remove the software without a further download.

All uninstallers leave the nCase/Inst control in place, allowing nCase to be reinstalled without prompting. To remove this, open the Downloaded Program Files folder (inside the Windows folder) and delete the entry ‘nCaseInstaller Class’ (nCase/Inst/nc variant), ‘180SAInstaller Class’ (nCase/Inst/180SA variant) or ‘ZangoInstaller Class’ (nCase/Inst/Zango variant).
Manual removal

Open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’), select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and right-click the entry on the right with the name ‘msbb’ (nc and msbb variants), ‘saie’, ‘saie’, ‘sais’, ‘salm’, ‘saap’, ‘sain’, ‘180ax’, ‘180adsolution’, ‘zango’, or in the case of the rnd variant, a random name 3-9 lower-case letters long pointing at a .exe file of the same name.

Delete this entry, noting the filename it was pointed at. nCase can be installed in any location on the hard disc, depending on the whim of the installer. Common locations include in a folder in Program Files named ‘nCase’, ‘n-Case’, ‘MSBB’, ‘180Solutions’ and ‘180Search Assistant’, along with the System32 folder (inside the Windows folder; called just ‘System’ on Windows 95/98/Me), the Temp folder (inside the user profile Local Settings folder in Documents and Settings, or directly in the Windows folder in Windows 95/98/Me) and the Application Data folder (inside the user profile folder or the Windows folder in 95/98/Me). It can also often be found inside the Program Files folder of another program that installed it.

For the Alert variant, also check the Run key for an entry with a random upper-case name 3-6 letters long pointing to a .exe file of the same name in the Windows folder. Note the name and delete the entry if there is one.

Restart the computer and you should be able to delete the files whose names you noted. You can also remove files using the names in the table above, stored in the same folders as the main executable, and the empty temporary folder named ‘FLEOK’, along with any icon (.ico) files nCase has downloaded to put onto the desktop.

To clean up, you can also delete the registry keys in HKEY_CURRENT_USER\Software and HKEY_LOCAL_MACHINE\Software with the name ‘msbb’ (nc, rnd, msbb variants), ‘saie’, ‘sais’, ‘salm’, ‘saap’, ‘sain’, ‘180solutions’ or ‘zango’ and, if present, the uninstall key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall called ‘nCASE’, ‘msbb’ or ‘zango’.

block-checker.exe http://forum.mess.be/index.php?showtopic=10889 you decide.

ac16059d153.exe also very suspicious looking, I cant find any info on it though.

hyandex.exe NTROOTKIT Trojan or 'WareOut'
http://www.doxdesk.com/parasite/WareOut.html

Quote: Use the entry in the Control Panel’s Add/Remove Programs list to remove the software, then restart the computer, open the Windows folder and delete the file wotmp.tmp or wotmp11.tmp, then open the System32 folder (inside the Windows folder, called just ‘System’ on Windows 95/98/Me) and delete the file wosys.dll or wosysdll.dll.

To clean up the fake spyware traces WareOut installs, open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. For each, look at the entry list on the right and delete entries using the names/filenames above. Then select the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks and delete the randomly-numbered entries on the right except the default search hook {CFBFAE00-17A6-11D0-99CB-00C04FD64497}.

NTROOTKIT:
http://vil.nai.com/vil/content/v_135403.htm
http://vil.nai.com/vil/content/v_134117.htm

KeywordFinder.exe Trojan - Part of wareout.
http://www.doxdesk.com/parasite/WareOut.html

WareOut.exe - See above.

WhatsNewBot.exe - See above.

Bogobot.exe - See above.

UserSp1.exe - See above. anyone else tired of this...

Q678341.exe

Quote:# Determination: Bad


# This program has a file name of Q678341.EXE. It has a file size of 3,493 bytes and is found in the folder [%PROGRAMFILES%\WINDOWS MEDIA PLAYER\].


# We do not currently have any Vendor or Product Information about this program.


# This program has been run as part of a download process.


# This program was first seen by our users on Jul 9 2005. Only one user has seen this specific version of this program on their PC. This program has only been seen in operation once within our user base. We have only seen this one version of this program in use within our user base.


# This program is malware and is not considered safe, it is part of a Malware group sometimes referred to as Win32/Suspicious_M.gen. It should be Jailed

Just quarantine it.

Hope that helps.

You have far too many running applications. :S Also, goto Start > Run, type in cmd. In the box type netstat. The fewer connections as possible the better. Mine has none, which is impossible, but that's because I tend to fiddle around with port hiding, similar to a firewall, they're there really.


Also, Legato, Norton Antivirus is about as useful at catching viruses/virii (age-old debate, that one) as a chocolate fireguard.

Wow thanks Phantom! I'm gonna sort all that ASAP. Too bad Windows is refusing to run at the moment... (I'm using a different computer right now if you were wondering.)

And Norton isn't that bad... is it?

Yes, I just scanned a file which I know to be a virus (I created it ), and it said it was safe. Real safe changing the autexec.bat file... not.

I find Ad-Aware SE gets all the spyware off of my computer. I hardly ever get spyware, but whenever I do it spots it. It's a good little program, you should try running a scan with it.

God, I really hope I'm not sounding like a d1** but AdAware is the Norton Antivirus of Spyware protection. If ya don't believe me, download XoftSpy ( http://www.xoftspy.com/download.asp ) and run it, then see if you get much.