hjt log - cws, nav, & bmo

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by scott451, Jul 4, 2004.

  1. scott451

    scott451 Private E-2

    hi,

    you find attached my hijackthis log. i am a relative newcomer to the adware and spyware game. i am having a few problems, and i would appreciate any advice concerning my log.

    i have a recurring problem with cws, there are a few variants that just keep coming back. spybot search and destroy also gives me an error on the nav agent. however, when i disable the entry, the system tray icon goes away. and finally, i have a few mystery bho.

    thanks in advance


    scott

    -- * -- * -- * -- * -- * -- * -- * -- * -- * -- * -- * -- * -- * -- * -- * --

    Logfile of HijackThis v1.98.0
    Scan saved at 00:37:14, on 05/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\SpyBlocker\spyblocker.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    C:\PROGRA~1\NORTON~1\Navapw32.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\D-Link AirPlus\AirPlus.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    D:\Palm\Hotsync.exe
    C:\Program Files\Fichiers communs\Symantec Shared\NMain.exe
    C:\PROGRA~1\NORTON~1\navw32.exe
    C:\PROGRA~1\NORTON~1\QServer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Blocker\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker\spyblocker.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\Navapw32.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Startup: HotSync Manager.lnk = D:\Palm\Hotsync.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: D-Link AirPlus.lnk = ?
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
     
    scott451, Jul 4, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First get the software items given below and install them but do not run the scans yet until we boot into safe mode.

    Try downloading, installing, and UPDATING Ad-aware from here:
    http://www.majorgeeks.com/download506.html

    Read and print these instructions on running a full scan with Ad-aware:
    http://www.lavahelp.com/howto/fullscan/index.html

    also get the VX2 Cleaner Plugin for Ad-aware and install it:
    http://www.majorgeeks.com/download4283.html

    Make sure your copy of SpyBot S&D is updated (should be 1.3 final and updated detections from 6/23/04)

    Disable System Restore: http://www.majorgeeks.com/vb/showthread.php?t=31668
    After disabling system restore you will need to reboot but before doing that read the link below so you can boot into safe mode.

    Now boot into safe mode: http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    Now scan with SpyBot S&D and clean what it finds.
    Now run a full scan with Ad-aware (refer to the instructions I suggested your print earlier) and clean what it finds.
    Now run Ad-aware's VX2 cleaner plugin folllowing the below instuctions:
    How to use Lavasoft’s VX2 Cleaner plug-in:
    - Close Ad-Aware 6 build 181 and Ad-Watch (if running)
    - Download the free VX2 Cleaner here
    - Install the VX2 Cleaner
    - Start Ad-Aware 6 build 181
    - Go to “Plug-ins”
    - Select the VX2 Cleaner plug-in and click “Run Plugin”
    - If your computer isn’t infected, click “Close”.

    Reboot in normal mode and let's see how things look.
    If everything is okay, enable system restore.
     
    chaslang, Jul 4, 2004
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds