1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HELP! HijackThis log, need assistance.

Discussion in 'Virus & Other Malware Removal' started by NiNJaCYaNiDe, Feb 3, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. NiNJaCYaNiDe

    NiNJaCYaNiDe Thread Starter

    Joined:
    Jul 29, 2004
    Messages:
    21
    Ok, I really have no idea whats going on here. Everything has been fine until today. I go onto the internet, and I get bombarded by spyware. I ran Adaware, Spybot S&D, and Microsoft Anti-Spyware and deleted over 400 files of spyware, yet I see almost no improvement, infact, its gotten worse. I now have no wallpaper at all, it seems like webpage or something but nothing is there. The process running it is called Desktop.exe which I cannot delete. I ran Norton Anti-Virus and AVG, and it now constantly tells me all these different viruses/trojans I have. I choose to delete them, and they still come back. I have tried MSCONFIG to remove them from startup, but that doesn't help. I downloaded HijackThis, so here is what it shows.

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\isrvs\desktop.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\ppnvj.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
    C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\HJT\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [405M] C:\WINDOWS\ppnvj.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.addictivetechnologies.com
    O15 - Trusted Zone: *.addictivetechnologies.net
    O15 - Trusted Zone: *.admin2cash.biz
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.bettersearch.biz
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O15 - Trusted Zone: *.iframe.biz
    O15 - Trusted Zone: *.megapornix.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.newiframe.biz
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.pizdato.biz
    O15 - Trusted Zone: *.private-dialer.biz
    O15 - Trusted Zone: *.private-iframe.biz
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.sp2admin.biz
    O15 - Trusted Zone: *.sp2****ed.biz
    O15 - Trusted Zone: *.vse-moe.biz
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: (HKLM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
    O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\wnim.dll
    O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Forceware Web Interface - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ForceWare IP service - Unknown - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
    O23 - Service: ForceWare user log service - Unknown - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

    I have not allowed any of those trusted zones, nor been informed of them becoming trusted zones. Something has deactivated my Windows Security, and I cannot change any of the options associated with it. Please help!
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    First of all you have Norton AND AVG running one needs to go!

    download http://www.mvps.org/winhelp2002/DelDomains.inf do not run yet

    Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.

    Print this and boot to safe mode

    Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute

    Fix these with HJT

    R3 - Default URLSearchHook is missing

    O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll

    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll

    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

    O4 - HKLM\..\Run: [405M] C:\WINDOWS\ppnvj.exe

    O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe

    O15 - Trusted Zone: *.addictivetechnologies.com
    O15 - Trusted Zone: *.addictivetechnologies.net
    O15 - Trusted Zone: *.admin2cash.biz
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.bettersearch.biz
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O15 - Trusted Zone: *.iframe.biz
    O15 - Trusted Zone: *.megapornix.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.newiframe.biz
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.pizdato.biz
    O15 - Trusted Zone: *.private-dialer.biz
    O15 - Trusted Zone: *.private-iframe.biz
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.sp2admin.biz
    O15 - Trusted Zone: *.sp2****ed.biz
    O15 - Trusted Zone: *.vse-moe.biz
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: (HKLM)

    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

    O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\system32\wnim.dll

    View Hidden Files
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\system32\wnim.dll
    C:\WINDOWS\ZServ.dll
    C:\WINDOWS\ppnvj.exe

    Delete these folders

    C:\WINDOWS\isrvs


    START – RUN – key in %temp% - Edit – Select all – File – Delete
    Empty the recycle bin
    Boot and post a new log
     
  3. NiNJaCYaNiDe

    NiNJaCYaNiDe Thread Starter

    Joined:
    Jul 29, 2004
    Messages:
    21
    Ok, I think I did everything you said. It did seem to take away some of my problems, but my desktops wallpaper is still really messed up. If I try to right click my desktop, It then shows my wall paper...but I lose all icons and mouse control and am forced to reboot. My Norton Anti-Virus won't even update, I'm told to check my internet connection, which is obviously fine. Heres my new log.


    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
    C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Forceware Web Interface - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: ForceWare IP service - Unknown - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
    O23 - Service: ForceWare user log service - Unknown - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You have not stopped one of the AV's - you should only have one AV running

    Fix

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm

    O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe

    Boot and post a new log
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326451

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice