|
|
||
09-07-2005, 09:57 AM
|
#1 (permalink) |
|
New Member
 Join Date: Sep 2005
Posts: 8
|
winstyle2.dll
I receive this annoing messages from norton antivirus for finding trojan treat
q14451079_disk.dll Logfile of HijackThis v1.99.1 Scan saved at 10:53:52 PM, on 9/6/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\VIAudioi\SBADeck\ADeck.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Yahoo!\browser\ybrwicon.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Daily Weather Forecast\weather.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\YAHOO!\browser\ycommon.exe C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe C:\Program Files\MSI\Core Center\CoreCenter.exe C:\Program Files\MSI\DigiCell\DigiCell.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe C:\PowerPanel\upssrv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\PowerPanel\upsio.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Yahoo!\browser\YBrowser.exe C:\Program Files\Messenger\msmsgs.exe D:\Downloads\hijackthis\HijackThis.exe |
|
|
|
09-07-2005, 09:59 AM
|
#2 (permalink) |
|
New Member
Join Date: Sep 2005
Posts: 8
|
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BounceBack Launcher.lnk = ? O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe O4 - Global Startup: DigiCell.lnk = C:\Program Files\MSI\DigiCell\DigiCell.exe O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Freecell Solitaire - http://presence.games.yahoo.com/yog/y/fs10_x.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rra...X/RraainAX.CAB O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1104951329860 O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/r...1/isetupml.cab O16 - DPF: {9E214F45-89C2-4DE3-94A9-530EB1D05F7E} - http://www.quest3d.com/Quest3D_WebInstall.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{57FB19C5-D439-47D1-842D-9A74A4AC1404}: NameServer = 206.13.31.12 206.13.28.12 O17 - HKLM\System\CCS\Services\Tcpip\..\{9C2E4D39-9F24-460F-8D96-0B3A65E7A2F5}: NameServer = 65.65.63.1,63.65.63.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{57FB19C5-D439-47D1-842D-9A74A4AC1404}: NameServer = 206.13.31.12 206.13.28.12 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power System Inc. - C:\PowerPanel\upssrv.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE |
|
|
|
|
09-07-2005, 09:12 PM
|
#3 (permalink) |
|
Malware Destroyer
 
Join Date: Apr 2005
Location: Hurricane Heaven... still
Posts: 1,093
|
atanas61,
You have some spyware in your log not related to the stoyle trojan. But first lets deal with stoyle then the log. Please update your norton, reboot to safemode (tapping the F8 key when rebooting), open norton, (it will tell you it has limited functionality, that's ok), and run a full system scan. Verify that it was able to get rid of the winstyle2.dll file (stoyle trojan). If successfull, reboot normal and put a check/fix in the following items (in HijackThis): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com You also have 3 sets of DNS server addresses! Check to see if any of them are from your ISP, if they are, leave them alone, if not, check them as well: O17 - HKLM\System\CCS\Services\Tcpip\..\{57FB19C5-D439-47D1-842D-9A74A4AC1404}: NameServer = 206.13.31.12 206.13.28.12 O17 - HKLM\System\CCS\Services\Tcpip\..\{9C2E4D39-9F24-460F-8D96-0B3A65E7A2F5}: NameServer = 65.65.63.1,63.65.63.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{57FB19C5-D439-47D1-842D-9A74A4AC1404}: NameServer = 206.13.31.12 206.13.28.12 Post back and let us know how well Norton handled the winstyle2.dll file in safemode! 
__________________
Don't byte off more than you can chew... |
|
|
|
|
09-08-2005, 07:07 AM
|
#4 (permalink) |
|
New Member
Join Date: Sep 2005
Posts: 8
|
winstyle2.dll
Norton antivirus didn't find winstyle2.dll, actually didn't find any virus in my pc! also I did clean all nine entries! Now I want to see if these messages will show up again! tnank you again for your help! atanas
|
|
|
|
|
09-08-2005, 05:00 PM
|
#6 (permalink) |
|
Malware Destroyer
Join Date: Apr 2005
Location: Hurricane Heaven... still
Posts: 1,093
|
You may want to print out these instructions first...
Download Kaspersky AntiVirus. Disable your realtime scanner of your antivirus program. Install and open Kaspersky, Click the "Configure Real-time Protection" link, on EACH tab uncheck the "Enable Real-time..." click OK. Click the "Update Now" link, let it download the updates. Now boot your computer to safemode (tapping the F8 key when booting up). Right-click the Windows taskbar and click Task Manager, click the "Processes" tab, leave Task Manager open and visable. Open Kaspersky and move it so that you can see both Kaspersky and part of Task Manager on your screen. Now, click on Task Manager to bring it to the front and find the process named "exlporer.exe", right-click it and choose "End Process". (your icons and taskbar will disappear, that's ok). ***IMPORTANT: Leave BOTH Task Manager AND Kaspersky open. Do NOT close either one! Click on Kaspersky to bring it to the front and Click the "Scan My Computer" link. Let the scan finish. After the scan is finished, Click on Task Manager to bring it to the front. Click the file menu, select "New Task (Run)", then type "explorer.exe" (without the quotation marks), then click OK, (your icons and taskbar will come back). In Kaspersky, goto the Reports link, you will find the results of your "Scan My Computer" virus scan that you just did, double click it, and click the "Reports" tab and the "Export detailed report to a file" link. Save the file on your desktop. Close out of the program and reboot normal, post the contents of that report here for me.
__________________
Don't byte off more than you can chew... |
|
|
|
|
09-08-2005, 10:31 PM
|
#8 (permalink) |
|
Malware Destroyer
Join Date: Apr 2005
Location: Hurricane Heaven... still
Posts: 1,093
|
ie can be fixed easy enough. can you post another Hijackthis log please. And is your Norton still giving you the messages?
__________________
Don't byte off more than you can chew... |
|
|
|
|
09-09-2005, 03:19 PM
|
#10 (permalink) |
|
Malware Destroyer
Join Date: Apr 2005
Location: Hurricane Heaven... still
Posts: 1,093
|
atanas61,
Kaspersky did it's job, and caught stuff that your Norton and also your SpyBot didn't. Please uninstall it and reboot. I'll post back shortly on the log..
__________________
Don't byte off more than you can chew... |
|
|
|
 |
| Bookmarks |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
