1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

need help to fix or remove

Discussion in 'Web & Email' started by rmhjr346, Jul 4, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. rmhjr346

    rmhjr346 Thread Starter

    Joined:
    Jul 4, 2004
    Messages:
    8
    Here is my spybot report.

    --- Report generated: 2004-07-04 11:47 ---

    Cookie: Cookie (25) (Cookie, nothing done)


    Advertising.com: Tracking cookie (Internet Explorer: susan) (Cookie, nothing done)


    Advertising.com: Tracking cookie (Internet Explorer: susan) (Cookie, nothing done)


    Common Dialogs: History (4 files) (Registry key, nothing done)
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

    DoubleClick: Tracking cookie (Internet Explorer: susan) (Cookie, nothing done)


    Internet Explorer: URL history #1 (9 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-1709162666-1316817595-1404449762-1006\Software\Microsoft\Internet Explorer\TypedURLs

    Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
    C:\WINDOWS\System32\wbem\logs\wmiprov.log

    Log: Activity: ntbtlog.txt (Backup file, nothing done)
    C:\WINDOWS\ntbtlog.txt

    Log: Activity: SchedLgU.Txt (Backup file, nothing done)
    C:\WINDOWS\SchedLgU.Txt

    Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
    C:\WINDOWS\System32\wbem\logs\wbemess.log

    Log: Shutdown: System32\wbem\logs\winmgmt.log (Backup file, nothing done)
    C:\WINDOWS\System32\wbem\logs\winmgmt.log

    MS Direct3D: Most recent application (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name!=

    MS DirectDraw: Most recent application (Registry change, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=

    MS Regedit: Recent open key (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-1709162666-1316817595-1404449762-1006\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey!=

    ValueClick: Tracking cookie (Internet Explorer: susan) (Cookie, nothing done)


    Windows Explorer: Recent file global history (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-1709162666-1316817595-1404449762-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

    Windows Explorer: Last visited history (2 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-1709162666-1316817595-1404449762-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

    Windows Explorer: Run history (2 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-1709162666-1316817595-1404449762-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

    Windows Explorer: User Assistant history files (13 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-1709162666-1316817595-1404449762-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

    Windows Explorer: User Assistant history IE (6 files) (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-1709162666-1316817595-1404449762-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count


    --- Spybot - Search && Destroy version: 1.3 ---
    2004-06-16 Includes\Cookies.sbi
    2004-06-16 Includes\Dialer.sbi
    2004-06-16 Includes\Hijackers.sbi
    2004-06-16 Includes\Keyloggers.sbi
    2004-05-12 Includes\LSP.sbi
    2004-06-16 Includes\Malware.sbi
    2003-04-28 Includes\plugin-ignore.ini
    2004-06-16 Includes\Revision.sbi
    2004-06-16 Includes\Security.sbi
    2004-06-16 Includes\Spybots.sbi
    2004-06-16 Includes\Tracks.uti
    2004-06-16 Includes\Trojans.sbi
    her is my email address [email protected]
    MY software is WINDOWS XP HOME
    inertnet explorer 6.0
     
  2. etaf

    etaf Wayne Moderator

    Joined:
    Oct 2, 2003
    Messages:
    55,967
    hi, and welcome to TSG

    can you provide some details of what your problem is ?
    what windows version ?
    some specs on PC ?

    Most of the secruity gurus here will decode hijackthis logs

    HIJACK THIS:
    Try not to reboot
    Currently the Spyware identified by the security experts and especially the morphing and breeding .exe`s in the new variants of CWS, after every re-boot required by Ad-Aware and Spybot etc, just spawns more and more files for the poster to find and delete. This is making the advice the security experts give just too hard to follow.
    One of the security experts recently had one log with over a hundred files, they guy had to format c: drive.

    Download and copy hijackthis to its own folder , it makes backups so keeping them separate and available can be useful.

    Note the Spyware tools websites are very often under attack and so I have provided more than 1 location to download from:

    http://www.tomcoyote.org/hjt/
    http://209.133.47.200/~merijn/downloads.html
    http://www.thespykiller.co.uk/
    http://www.sherrylynn.us/privacypolicy

    Close all open windows and open Hijack This. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”.
    Click on “Save Log” and then save it to NotePad.
    Click on “Edit” – “Select all” – “copy” and then “paste” into the thread.
    DO NOT FIX ANYTHING wait advice from one of the many security experts in this forum.

    I currently do not have the skill/competence to advise and poor advice can be far more damaging to your PC with this software, and so I will nolonger be replying to your post, so please have patience and wait for one of the secruity experts to provide further detailed advice
     
  3. rmhjr346

    rmhjr346 Thread Starter

    Joined:
    Jul 4, 2004
    Messages:
    8
    I have edited the post for you. If you need more let me know.
     
  4. southernlady

    southernlady

    Joined:
    May 6, 2004
    Messages:
    1,922
    Well, you do have some major problems.

    Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
    C:\WINDOWS\System32\wbem\logs\wbemess.log is the W32.HLLW.Shower.L and that's the "Zoo Worm" http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.shower.l.html

    Log: Activity: ntbtlog.txt (Backup file, nothing done)
    C:\WINDOWS\ntbtlog.txt is the W32.Paps.A@mm and that's just a worm. http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

    But I think you have enough to worry about. I don't know how to fix it so I'll wait til one of the experts comes along to help. Liz
     
  5. rmhjr346

    rmhjr346 Thread Starter

    Joined:
    Jul 4, 2004
    Messages:
    8
    Liz thank you for your reply I have Posted my Hjack report. I would like you to see it and what you may help on.
    Again thank very much.
     
  6. etaf

    etaf Wayne Moderator

    Joined:
    Oct 2, 2003
    Messages:
    55,967
    would you run hijackthis and post the log into this thread.
    if necessary we can then move to secruity to review -
    but i think a log would be helpful - as described above
     
  7. rmhjr346

    rmhjr346 Thread Starter

    Joined:
    Jul 4, 2004
    Messages:
    8
    hers what you looking fore. I thank you for the repitted reply,. please see what you can do. I have a copy of my register if you Interrseted.
    Logfile of HijackThis v1.98.0
    Scan saved at 7:56:03 PM, on 7/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\csuptfn.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\Connectix\Connectix Desktop Designer\WpCycleWin.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\susan\Desktop\games\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\Windows Registry Repair Pro.exe -X
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [sdeb] C:\WINDOWS\sdeb.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [kyezrrij] C:\WINDOWS\System32\csuptfn.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM\..\Run: [ghsbinkv] C:\WINDOWS\ghsbinkv.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [DDStartup] c:\Program Files\Connectix\Connectix Desktop Designer\DDStartup.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [bwb] C:\WINDOWS\bwb.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [WPCycle.exe] c:\Program Files\Connectix\Connectix Desktop Designer\WpCycleWin.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\icq.exe -minimize
    O4 - Startup: PowerReg Scheduler.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Support - {9037FB20-4B20-487E-AEEE-45478F62EF54} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
     
  8. cybertech

    cybertech Moderator

    Joined:
    Apr 16, 2002
    Messages:
    69,451
    Run Spybot again, make sure to check for updates prior to running the scan.

    Scan your machine then click on fix problems.

    Reboot. Go here http://forums.techguy.org/t110854/s.html and run at least 2 of the on-line virus scanners.

    Reboot and post another hijackthis log.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/246370