choan you help new to this have so many viruses im surprised com starts how do i take reg settings and post for help
Welcome to Wilder's! I'm sure a mod will soon move this to an appropriate forum. 1. Do you currently have an up to date antivirus installed? If so, what is it? 2. Your operating system? (XP, ME, etc.) 3. What specific symptoms are you noticing? If you can provide a bit more information for us, I'm sure others will be along soon to help, as well.
jim it thanks for helping running norton out of date will now be rectified system winxp problemms caused hijacked browser into porn sites and credit card details hijacked
Did I hear hijack? Hi djh, Could you please post a HijackThis log. Follow the instructions posted here: http://www.wilderssecurity.com/showthread.php?t=15913 Regards, Pieter
copy of hijack this file Logfile of HijackThis v1.97.7 Scan saved at 21:37:12, on 08/01/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe C:\Program Files\Creative\ShareDLL\MediaDet.Exe C:\WINDOWS\System32\P2P Networking\P2P Networking.exe C:\Program Files\Altnet\Points Manager\Points Manager.exe C:\WINDOWS\svchost.exe C:\WINDOWS\System32\mstaskm.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe C:\WINDOWS\system32\ntvdm.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\dave\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.meshcomputers.com/ F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O2 - BHO: MSM32 Helper - {1E1B2879-88FF-11D2-8D96-000000000004} - C:\WINDOWS\system\SSocks32.dll (file missing) O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [SCBlink2Menu] E:\Setup.exe O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://portal.plus.net/ O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37910.0193402778 O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D5E8ACDA-BB8E-4E4D-8A1E-F9481B9046DF}: NameServer = 212.159.11.150,212.159.13.150
Hi djh, Check the following items in HijackThis. Close all windows except HijackThis and click Fix checked: R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html O2 - BHO: MSM32 Helper - {1E1B2879-88FF-11D2-8D96-000000000004} - C:\WINDOWS\system\SSocks32.dll (file missing) O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [SCBlink2Menu] E:\Setup.exe O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab Reboot after doing so, preferably into safe mode and delete: C:\Program Files\Altnet\Points Manager <= entire folder C:\WINDOWS\svchost.exe <= only that one, do NOT try to remove the ones in the System32 folder C:\WINDOWS\System32\mstaskm.exe Then reboot normally and download and run CWShredder to get rid of the CWS elements that don't show in HijackThis. Regards, Pieter
djh, Pieter is definitely "the man" when it comes to this stuff... I would also follow up his instructions by updating your NAV, and doing a full system scan for stray bogies, as well. Good luck.
Hey JimIT, You stick around and keep an eye out for any real viruses that show up, OK? Looking at the log, NAV (or something else) killed this one: http://www.symantec.com/avcenter/venc/data/backdoor.lixy.b.html Regards, Pieter
to pieter Thanks very much for your instructions followed them to the letter works perfectly. Youre obviously a very clever man good job there are people like u about 2 undo the work of these parasites who write these viruses in the 1st place, once agen many thanx djh
Hi djh, My pleasure. You may find this an interesting read on how to prevent future infections: http://boards.cexx.org/viewtopic.php?t=957 Regards, Pieter
Unfortunately Wilders has no "thumbs-up" mechanism for us to privately commend Pieter {similar to that at dslreports}, so let's all just give him a shot of positive karma!