|
|
||
12-30-2005, 12:09 AM
|
#1 (permalink) |
|
New Member
 Join Date: Dec 2005
Posts: 3
|
Spyware?
I'm having difficulties with pop up dos windows on my computer. Here is my hijackthis log. Could someone be kind enough to help?
Logfile of HijackThis v1.99.1 Scan saved at 10:04:31 AM, on 30/12/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\cmd32.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Qpc\QVTNet\bin\Term.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINDOWS\system32\ntvdm.exe C:\WINDOWS\system32\ntvdm.exe C:\WINDOWS\system32\ntvdm.exe C:\Documents and Settings\staff\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hclc.vic.gov.au/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: QVT-Term.lnk = C:\Program Files\QPC\QVTNet\bin\Term.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1135124930690 O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...50/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = library.hclc.vic.gov.au O17 - HKLM\Software\..\Telephony: DomainName = library.hclc.vic.gov.au O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = library.hclc.vic.gov.au O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe |
|
|
|
12-30-2005, 12:30 AM
|
#2 (permalink) |
|
banned
Join Date: Feb 2005
Posts: 1,486
|
First of all you have the P2P.TANKED VIRUS!
Follow every step in the sticky's and post a new log! Also run a scan with ewido in safe mode! After you download ewido make sure you update the definitions! http://www.ewido.net/en/ |
|
|
|
|
12-30-2005, 03:40 AM
|
#3 (permalink) |
|
New Member
Join Date: Dec 2005
Posts: 3
|
New log
Logfile of HijackThis v1.99.1
Scan saved at 1:39:28 PM, on 30/12/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CA\eTrust Antivirus\InoRpc.exe C:\Program Files\CA\eTrust Antivirus\InoRT.exe C:\Program Files\CA\eTrust Antivirus\InoTask.exe C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\PROGRA~1\CA\ETRUST~1\realmon.exe C:\Program Files\PC Tools AntiVirus\PCTAV.exe C:\Program Files\Qpc\QVTNet\bin\Term.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\PC Tools AntiVirus\ScanningProcess.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\administrator\Desktop\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe O4 - Global Startup: QVT-Term.lnk = C:\Program Files\QPC\QVTNet\bin\Term.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1135124930690 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...50/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = library.hclc.vic.gov.au O17 - HKLM\Software\..\Telephony: DomainName = library.hclc.vic.gov.au O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = library.hclc.vic.gov.au O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe |
|
|
|
|
12-30-2005, 04:30 AM
|
#4 (permalink) |
|
banned
Join Date: Feb 2005
Posts: 1,486
|
Open hijack this and check the following.
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe O4 - Global Startup: QVT-Term.lnk = C:\Program Files\QPC\QVTNet\bin\Term.exe If these Domains do not belong to your ISP, or your firms network, these entries should be fixed also! O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = library.hclc.vic.gov.au O17 - HKLM\Software\..\Telephony: DomainName = library.hclc.vic.gov.au O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = library.hclc.vic.gov.au You also have this (W32.Looksky.A/D Worm) You got it from an email so before you fix these entries with hijackthis delete all emails, then open up hijack this, do a system scan only and check the entries listed above and fix them then reboot computer and repost new log. PS: I advise you to upgrade to SP2 also, and if you are not using a router get a firewall. Last edited by cell4me; 12-30-2005 at 04:33 AM. |
|
|
|
|
12-30-2005, 06:00 AM
|
#5 (permalink) |
|
New Member
Join Date: Dec 2005
Posts: 3
|
Thank You
Ok the problem seems to have gone now. I can't get sp2, routers etc yet as this is a staff terminal in a public library. We are upgrading our computers next year and I shall install sp2 on those. I don't have to power to purchase any equipment. I am also unable to delete all the emails as it is a shared computer.
Thank you all the same you've been a great help. |
|
|
|
 |
| Bookmarks |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
