Can't run NAV, symantec.com, hijack this, etc; they disappear

  1. 26-06-2006  #1
    cc2day
    cc2day is offline Newbie

    Can't run NAV, symantec.com, hijack this, etc; they disappear

    My XP Pro machine started to randomly crash today and not reboot. Also, my password will not work when I come out of standby. I installed Symantec NAV and it will not open unless I rename the file, but it is an old version so the definitions aren't up to date and live update will not work. I managed to get HiJack this to run by renaming it. Here are the details:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:23:20 PM, on 6/26/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    C:\Program Files\Dynu Systems\Basic\basicsvc.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\cba\pds.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\libsys32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Valve\Steam\Steam.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\acrotray.exe
    C:\Program Files\PowerMenu\PowerMenu.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Documents and Settings\David\Desktop\HijackThiss.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
    O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
    O4 - Startup: Shortcut to acrotray.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\acrotray.exe
    O4 - Startup: Shortcut to PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9DCE3998-E7B3-11D7-B903-000476323445} (CPCROW Control) - http://www.postcalls.com/group/sendcallout/CPCROW.dll
    O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firstamres.com/mapviewer/mapviewer.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Dynu Basic Dynamic DNS Client v3.24 (DynuBasic) - Unknown owner - C:\Program Files\Dynu Systems\Basic\basicsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
    O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Nofeel FTP Server Service - Nofeel Software Team - C:\Program Files\Nofeel FTP Server\nftpdsvc.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe


    Can anyone please help?

  3. 26-06-2006  #2
    Neal
    Neal is offline Dedicated Member
    Welcome to DAL,



    Please download, install, and update the NEW free version of Ewido trojan scanner:

    When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

    When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

    From the main ewido screen, click on update in the left menu, then click the Start update button.

    After the update finishes (the status bar at the bottom will display "Update successful")

    Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

    If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

    When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

    Post the log Ewido makes back here please and a new hijackthis log. Thanks.



    Go here BitDefender and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

    When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post back and let us know what it found (post the log).

    And post a new HJT log also..


    If you can't do the above scans then do the below then try the scans.


    Go here to learn how to show hidden files/folders:

    http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

    Re-hide after we are done


    Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.


    Run hijackthis and click on scan button and put checks next to these:


    O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
    O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
    O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe

    O16 - DPF: {9DCE3998-E7B3-11D7-B903-000476323445} (CPCROW Control) - http://www.postcalls.com/group/sendcallout/CPCROW.dll


    Nothing open but hijackthis and click on fix checked


    Still in safe mode


    Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):


    DELETE FILES:

    C:\WINDOWS\System32\libsys32.exe
    syslog32.exe---probably in system32 folder


    Reboot normal mode with results please, thanks.
  4. 27-06-2006  #3
    cc2day
    cc2day is offline Newbie
    Quote Originally Posted by Neal
    ...Post the log Ewido makes back here please and a new hijackthis log. Thanks.[/color]
    Thanks for the welcome. And thanks for what you do to help! Here is the Ewido Log:

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 9:01:32 PM 6/26/2006

    + Scan result:


    :mozilla.50:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.2o7 : No action taken.
    :mozilla.49:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Advertising : No action taken.
    :mozilla.51:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Advertising : No action taken.
    :mozilla.52:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Advertising : No action taken.
    :mozilla.53:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Advertising : No action taken.
    :mozilla.54:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Advertising : No action taken.
    :mozilla.32:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Atdmt : No action taken.
    :mozilla.6:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\89xt3qht.default\coo kies.txt -> TrackingCookie.Atdmt : No action taken.
    D:\Documents and Settings\David\Cookies\david@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
    D:\Documents and Settings\David\Cookies\david@bluestreak[2].txt -> TrackingCookie.Bluestreak : No action taken.
    D:\Documents and Settings\David\Cookies\david@centrport[1].txt -> TrackingCookie.Centrport : No action taken.
    :mozilla.43:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Com : No action taken.
    :mozilla.58:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Doubleclick : No action taken.
    D:\Documents and Settings\David\Cookies\david@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
    :mozilla.22:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\89xt3qht.default\coo kies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.23:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\89xt3qht.default\coo kies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.24:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\89xt3qht.default\coo kies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.25:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\89xt3qht.default\coo kies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.26:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\89xt3qht.default\coo kies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.29:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\89xt3qht.default\coo kies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.30:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\89xt3qht.default\coo kies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.46:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Mediaplex : No action taken.
    :mozilla.56:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Overture : No action taken.
    :mozilla.57:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Overture : No action taken.
    D:\Documents and Settings\David\Cookies\david@perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
    D:\Documents and Settings\David\Cookies\david@ads.pointroll[1].txt -> TrackingCookie.Pointroll : No action taken.
    D:\Documents and Settings\David\Cookies\david@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
    C:\Documents and Settings\David\Cookies\david@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : No action taken.
    :mozilla.19:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\89xt3qht.default\coo kies.txt -> TrackingCookie.Statcounter : No action taken.
    :mozilla.34:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Statcounter : No action taken.
    :mozilla.63:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Trafficmp : No action taken.
    :mozilla.64:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Trafficmp : No action taken.
    :mozilla.65:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Trafficmp : No action taken.
    :mozilla.66:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Trafficmp : No action taken.
    :mozilla.67:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Trafficmp : No action taken.
    :mozilla.68:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Trafficmp : No action taken.
    :mozilla.69:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Trafficmp : No action taken.
    :mozilla.70:C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\s7mgmz2o.default\coo kies.txt -> TrackingCookie.Trafficmp : No action taken.

    ::Report end

    And HiJack Log

    Logfile of HijackThis v1.99.1
    Scan saved at 9:02:23 PM, on 6/26/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Dynu Systems\Basic\basicsvc.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\cba\pds.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Valve\Steam\Steam.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\acrotray.exe
    C:\Program Files\PowerMenu\PowerMenu.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Documents and Settings\David\Desktop\HijackThiss.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
    O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
    O4 - Startup: Shortcut to acrotray.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\acrotray.exe
    O4 - Startup: Shortcut to PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {9DCE3998-E7B3-11D7-B903-000476323445} (CPCROW Control) - http://www.postcalls.com/group/sendcallout/CPCROW.dll
    O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firstamres.com/mapviewer/mapviewer.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Dynu Basic Dynamic DNS Client v3.24 (DynuBasic) - Unknown owner - C:\Program Files\Dynu Systems\Basic\basicsvc.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
    O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Nofeel FTP Server Service - Nofeel Software Team - C:\Program Files\Nofeel FTP Server\nftpdsvc.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)

    I'll go ahead and start the next step...
  5. 27-06-2006  #4
    cc2day
    cc2day is offline Newbie
    BitDefender results

    Scan report generated at: Tue, Jun 27, 2006 - 01:07:53

    Scan path: A:\;C:\;D:\;E:\;H:\;

    Statistics

    Time 03:44:03

    Files 1442183

    Folders 9725

    Boot Sectors 10

    Archives 17820

    Packed Files 155773


    Results

    Identified Viruses 3

    Infected Files 4

    Suspect Files 0

    Warnings 0

    Disinfected 0

    Deleted Files 3

    Engines Info

    Virus Definitions 389493

    Engine build

    AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

    Scan plugins 13

    Archive plugins 39

    Unpack plugins 5

    E-mail plugins 6

    System plugins 1

    Scanned File

    Status

    C:\WINDOWS\system32\cool.exe

    Infected with: Backdoor.SDBot.C647398C

    C:\WINDOWS\system32\cool.exe

    Deleted

    C:\WINDOWS\system32\drivers\etc\hosts

    Infected with: Generic.Qhost

    C:\WINDOWS\system32\drivers\etc\hosts

    Disinfection failed

    C:\WINDOWS\system32\drivers\etc\hosts

    Deleted

    C:\WINDOWS\system32\libsys32.exe

    Infected with: Backdoor.SDBot.C647398C

    C:\WINDOWS\system32\libsys32.exe

    Disinfection failed

    C:\WINDOWS\system32\libsys32.exe

    Delete failed

    D:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav ainstaller.jar-5aa0b436-346d8487.zip

    Infected with: Trojan.Downloader.Java.Openstream.W

    D:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav ainstaller.jar-5aa0b436-346d8487.zip

    Disinfection failed

    D:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav ainstaller.jar-5aa0b436-346d8487.zip

    Deleted

    Hijack Results:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:28:02 AM, on 6/27/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\libsys32.exe
    C:\Documents and Settings\David\Desktop\HijackThiss.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
    O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
    O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
    O4 - Startup: Shortcut to acrotray.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\acrotray.exe
    O4 - Startup: Shortcut to PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firstamres.com/mapviewer/mapviewer.cab
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: Dynu Basic Dynamic DNS Client v3.24 (DynuBasic) - Unknown owner - C:\Program Files\Dynu Systems\Basic\basicsvc.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Nofeel FTP Server Service - Nofeel Software Team - C:\Program Files\Nofeel FTP Server\nftpdsvc.exe
    O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe
  6. 27-06-2006  #5
    Neal
    Neal is offline Dedicated Member
    Save 20% on AVG Internet Security 2012 Suite!
    Hi,


    Well I missed one on your log and is the reason BitDefender could not delete those files, so...



    Create a folder such as C:\HJT or C:\Program Files\HJT and move HJT.exe into the newly created folder so we can have avaiable backups in case you fix the wrong thing or I make a mistake. Very important.



    Go to Start > Run and type in Services.msc then click OK

    Click the Extended tab.

    Scroll down until you find NT login service.

    Click once on the service to highlight it.

    Click Stop

    Right-Click on the service.

    Click on 'Properties'

    Select the 'General' tab

    Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

    From the drop-down menu, click on 'Disabled'

    Click the 'Apply' tab, then click 'OK'

    Next:

    Please run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type NT login service and press OK. OK any prompts, close HijackThis, and restart your computer.


    Please re-scan with BitDefender and post the log again and a new hijackthis log. Thanks.


    Then go get service pack 1(microsoft updates) now or we will never be able to get you clean. Do not install Service Pack 2 on an infected machine.

    http://update.microsoft.com/windowsu....aspx?ln=en-us
    Last edited by Neal; 27-06-2006 at 06:04 PM.
+ Reply to Thread
« Startup problem | Trojan Horse »