|
I need help guys .......pleeeeeeeeeease
Got me a laptop from my mate, when i got it it was fine, and in a way still is now...
But my desktop picture wont work, Ive constantly got A black screen telling me I've got spyware, I've paid £40 for bloody Norton Anti Virus/Spyware, and it's cleared all the expected virus's it found, and is saying my pc is ok now, but my desktop still has this spyware warning....and I don't know what else to do :( :( :( :( :( :( I think it happened when I created my own account on the computer...maybe it sees me as a threat because i logged on from a different place?? i dunno, im pritty clueless when it comes to comes :cry: |
Stumped me Kim, not heard of this before!!!
What happens when you right click on the enpty desktop and select PROPERTIES, then click DESKTOP ? You should see something like this; https://i1.tinypic.com/21nkrat.jpg Can you do this on yours and tell us what it says, and better still, post a pic like I have? Also, what happens if you right click on a picture and select SET AS DESTKTOP BACKROUND (or something like that) ? Here, use this pic and try that, tell me what happens; http://www.readersdigest.ca/wallpape..._1280x1024.jpg Lastly, download and run these; Ad Aware Personal SE SpyBot Both are very good programmes for getting rid of spyware - something that Norton won't typically find... Run em both (one after another) and report back :) |
I'd download and run spybot first then try and change your desktop wallpaper :top:
|
Thrush I posted this in General too lol....when i click properties on the desktop it just gives me a general tab, and an url being A file in my c: which i deleted, but nothing happened apart from i got a blank screen now, still wont show my desktop pic no matter how hard i try, the guys in general, say its a virus, but nothing major....gonna go have a look in a min see what i can find :DD:
cheers hun |
Reason I asked is I had a problem like this a while ago, and it wasn't a virus as such, but a pretty malicious spyware problem.
I got a dodgy desktop backround (it was just blank with a web URL on it) but my IE was hijacked and the home page reset, and I couldn't change it no matter how hard I tried. I ended up going to this forum : www.d-a-l.com who talked me through everything supplied the links for the programmes I needed to run and generally solved my problem for me - superb forum with superb users! Anyway, first of all, just install and run both Ad-Aware and Spybot (links in my first post) and see how that goes for you. |
Sounds pritty much like mine apart from I can get onto the web, its just affecting my desktop :cry:
|
Its found 16 so far, 14 in my cookies, which presumably will just disappear when I clear them??
And 2 other one in my docs and settings and the other a spyware problem... :cry: |
Try a system restore? :?
|
Done a system restore, its still the same...
Its getting worse now.....im getting a windows explorer error message when i log in, and none of my scroll bar or desktop items appear, i have to ctrl , alt and delete to bring up task manager, log off and log back on again then its ok :? |
Think it might be time to re-format :cry:
|
I'm an idiot when it comes to computers, what does re-formating it include??? :cry:
|
It means sticking the XP installation disc into it, and wiping the entire laptop and re-installing XP all over again. Unless you back up what you wan't (either on CD-R's or a plug in USB hard drive) you WILL lose everything on the laptop.....
|
yep but should sort you out and get back to normal at least and it will probably run better aswell because all the crap will be gone :top:
|
hmmmm might try that......will speak to the mother see what she has done already...
how do I wipe the laptop?? |
As said Kim you need a Windows XP re-installation disc, which you stick in the lappy and it will go into set up mode and guide you through it. You just need to select the re-install option and format the partition where prompted, but it's all pretty much automated so you shouldn't have too much grief ;)
|
pmsl im female thrush :cry: ;)
Im sure ill get loads of greif :cry: Is it just the original XP installation disk? As we have one of them, or is it a different re-installation disk? |
It's the XP one ;)
|
yep, whack the xp disc in and its all fool proof as you just click on re-install and click a few buttons.
Yes your female but ive got faith that you can do this :DD: :cry: |
Well im gonna have a bash today keep your fingers crossed for me :cry:
|
Everythings crossed for ya :DD: :cry:
|
if you still want to solve this issue without re-istalling download hijack this from the following URL and send me the logs or post them in the forum.
http://www.spywareinfo.com/downloads.php?cat=sp#det I would also NOT suggest reformatting because something caused this issue and you need to resolve it incase it happens again, I mean if you hear an engine knock to do establish what it is or just rebuild ? The problem with reinstalling is that the assumption is being made that you have all the drivers and software the laptop requires which may not be the case, if the laptop is wireless the native driver support for this in WindowsXP is poor which means you could find yourself without a net conection and issues which still require resolving which makes this harder. If you want to disucss this or require assistance I would suggest checking out spywareinfo forums alternatively I would be willing to help through ICQ or AOL messenger BTW norton is horrible, it eats up system resources and performs badly imho |
Glad i couldnt re-format them :cry:
Will follow that link see what it throws up thsanks for your help :top: |
Logfile of HijackThis v1.99.1
Scan saved at 22:29:16, on 20/08/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\A User\Local Settings\Temporary Internet Files\Content.IE5\U5KFMTOH\HijackThis[1].exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\System32\intell321.exe O4 - HKLM\..\Run: [RunSetup] C:\Orange\OrangeConnectionKit\Temp\setup.exe -r O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT" O4 - HKLM\..\Run: [msconfig38] mssvcc.exe O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/ O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8D6036B1-DA96-41BC-9FCB-82075D5DE038}: NameServer = 194.72.0.98 62.6.40.162 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe (file missing) O23 - Service: Winkap - Unknown owner - C:\WINDOWS\System32\Winkap.exe (file missing) O23 - Service: Winkiu - Unknown owner - C:\WINDOWS\System32\Winkiu.exe (file missing) Thats a long log file :cry: :? |
Right, for a start I certainly don't like the look of this entry;
O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe That relates to a "worm" known as W32/Rbot-BJV - W32/Rbot-BJV is a network worm with backdoor functionality for the Windows platform. W32/Rbot-BJV spreads using a variety of techniques including exploiting weak passwords on computers and exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WKS and ASN.1). W32/Rbot-BJV can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-BJV can be instructed by a remote user to perform the following functions: start an FTP server start a Proxy server take part in distributed denial of service (DDoS) attacks log keypresses port scanning download/execute arbitrary files start a remote shell (RLOGIN) The worm copies itself to a file named mssvcc.exe in the Windows system folder and creates the following registry entries to run on system startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msconfig38 mssvcc.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services msconfig38 mssvcc.exe But alas all is not lost! Patches for the operating system vulnerabilities exploited by W32/Rbot-BJV can be obtained from Microsoft at: http://www.microsoft.com/technet/sec.../ms04-011.mspx http://www.microsoft.com/technet/sec.../MS04-012.mspx http://www.microsoft.com/technet/sec.../MS03-049.mspx http://www.microsoft.com/technet/sec.../MS04-007.mspx |
So what can I do :cry:
Can I delete it or, will there be a scan on one of them links to get ri dof it?? I've found out my mate who i got it off, took it into PC World and they said they had deleted all the bad files and viruses...looks like they never did anything :mad: |
You should be able to patch it with the provided links in my post Kim...
|
I had a look but I don't understand what I need to do :cry: oh god i feel like a right dumb bint, leave it with me, let me go find a brain and try and use it :cry:
|
You also have the remains of past Trojan experiences... the line below
O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe (file missing) This is indicates a past infection of the W32/Tilebot-FE worm which does the following # Allows others to access the computer # Installs itself in the Registry # Exploits system or software vulnerabilities Its is also know as Backdoor.Win32.SdBot.xd and W32/Sdbot.worm.gen.g The multiple infections suggests that your Windows system requires patching or updating !!! |
Originally Posted by RSCossieKim
I had a look but I don't understand what I need to do :cry: oh god i feel like a right dumb bint, leave it with me, let me go find a brain and try and use it :cry:
------ Your hijack this log has at number 4 the following information :- O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe The file mssvcc.exe relates to a "worm" on your computer known as W32/Rbot-BJV This worm copys itself to the following location on your computer: • %SYSDIR%\mssvcc.exe It runs from this location and then deletes itself most of the time. The worm then needs to run after the machine is restarted in order to infect your computer further and it does this by placing the following information in the Windows registry : (the windows registry is what controls how things run and start on your computer, specific settings and so on) – [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] • "msconfig38"="mssvcc.exe" – [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services] • "msconfig38"="mssvcc.exe" The following registry keys are changed: – [HKLM\SOFTWARE\Microsoft\Ole] Old value: • "EnableDCOM"="%user defined settings%" New value: • "EnableDCOM"="N" – [HKLM\SYSTEM\CurrentControlSet\Control\Lsa] Old value: • "restrictanonymous"=dword:%user defined settings% "restrictanonymoussam"=dword:%user defined settings% New value: • "restrictanonymous"=dword:00000001 "restrictanonymoussam"=dword:00000001 In order to ensure its propagation the worm attemps to connect to other machines as described below. (NOTE : This means machines in contact with this laptop through a network enviroment may also be infected) It drops copies of itself to the following network shares: • IPC$ • C$ • ADMIN$ It uses the following login information in order to gain access to the remote machine: – The following list of usernames: • adm; admin; administrador; administrat; administrateur; administrator; admins; computer; database; db2; dba; default; guest; oracle; owner; root; staff; student; teacher; wwwadmin – The following list of passwords: • 007; 123; 1234; 12345; 123456; 1234567; 12345678; 123456789; 1234567890; 2000; 2001; 2002; 2003; 2004; access; accounting; accounts; asd; backup; bill; bitch; blank; bob; brian; changeme; chris; cisco; compaq; control; data; databasepass; databasepassword; db1; db1234; db2; dbpass; dbpassword; default; dell; demo; domain; domainpass; domainpassword; eric; exchange; fred; fuck; george; god; guest; hell; hello; home; homeuser; ian; ibm; internet; intranet; jen; joe; john; kate; katie; lan; lee; linux; login; loginpass; luke; mail; main; mary; mike; neil; nokia; none; null; oem; oeminstall; oemuser; office; orainstall; outlook; pass; pass1234; passwd; password; password1; peter; pwd; qaz; qwe; qwerty; root; sam; server; sex; siemens; slut; sql; sqlpassoainstall; sue; susan; system; technical; test; unix; user; web; win2000; win2k; win98; windows; winnt; winpass; winxp; www; zxc The worm also makes use of the following issues in Windows you need to fix the problems by downloading the updates associated with them, the exploits are described below although not all of them are applicable to your computer. You simply need to download the updates posted by Thrush – MS02-061 (Elevation of Privilege in SQL Server Web) – MS03-026 (Buffer Overrun in RPC Interface) – MS03-039 (Buffer Overrun in RPCSS Service) – MS03-049 (Buffer Overrun in the Workstation Service) – MS04-007 (ASN.1 Vulnerability) – MS04-011 (LSASS Vulnerability) This worm also has the ability to use your system for attacks on other users in what is called a distributed denial-of-service attack (DDOS), to do this the system has to provide information about itself and present itself for remote control it does this by connecting to the following IRC (Internet Relay Chat) servers : Server: **********.slateit1703.info Port: 8080 Channel: #final,#finaldownload Nickname: USA|%six-digit random character string% Password: he.he Server: **********.3071tietals.info Port: 8080 Channel: #final,#finaldownload Nickname: USA|%six-digit random character string% Password: he.he This worm has the ability to collect and send information such as: • CPU speed • Current user • Details about drivers • Free disk space • Free memory • Malware uptime • Information about the network • Size of memory • Information about the Windows operating system Furthermore it has the ability to perform actions such as: • connect to IRC server • Launch DDoS ICMP flood • Launch DDoS SYN flood • Launch DDoS UDP flood • Disable DCOM • Disable network shares • disconnect from IRC server • Download file • Enable DCOM • Enable network shares • Execute file • Join IRC channel • Kill process • Leave IRC channel • Open remote shell • Perform network scan • Restart system • Start spreading routine • Terminate malware • Updates itself • Upload file A backdoor (UDP port 69) onto your system will be created and made available for remote access this is used for a FTP (File Transfer Protocol) server which can be used to upload files to your machine. If you understand that then we can move onto removing it and all aspects of it... does this help or do I need to go even more simpler... I can ;) |
Okay Kim - there is an easy way to fix this hun....
Run that HIJACKTHIS programme again till you get the results - don't close it when it has done!!!! Scroll down the report till you see this entry; O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe highlight this (make sure no other items have a tick next to them) and put a tick in it's box. On the interface of your HIJACK THIS programme you have a button that says FIX CHECKED. Press this. This should remove the item from your PC and sort it out for you. https://i8.tinypic.com/25hk0zs.jpg I would also advise you do the same with the line; O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe (file missing) aswell, as already pointed out - it's a left over trojan file.... |
OMG how helpful are you guys, I owe you both BIG time..
Well I had a mess around, AND i went onto the microsoft website, i think it was microsoft that Thrush posted, and checked to see if my windows version was genuine, anbd it is not, so it will not let me get any of the updates.... Now I do have an XP disk, so do I need to re-install a genuine windows programme before I can do any of the above?? UnseenMenace thank you SO much for spending the time writing that out i appreciate it SO much!!!!!! Will try what you say Thrush, will it let me do this even though I dont have a genuine copy of windows? I found my brain btw, think I may have been having a bad night the other night!!! :cry: :top: |
Ok I done what you said Thrush, just as I say I cannot load the updates as my windows copy isn't genuine, so do I just now put in my XP disk and install?? :top:
I'm still in shock at how helpful you are :eek: UnseenMenace God hun I appreciate you simplifing it for me, I know your not talking down to me hun....its nice that someone is willing to simplify things for the erm lesser knowledged people, or in my case thick bints :cry: :cry: Think I understand what you have said, so is it just a case of downloading them updates from microsoft? :DD: Cheers guys xxxxx :hug: :smack: |
And this is my log file now:
Logfile of HijackThis v1.99.1 Scan saved at 21:10:58, on 24/08/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\A User\Local Settings\Temporary Internet Files\Content.IE5\C56JGHE3\HijackThis[1].exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\System32\intell321.exe O4 - HKLM\..\Run: [RunSetup] C:\Orange\OrangeConnectionKit\Temp\setup.exe -r O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT" O4 - HKLM\..\Run: [msconfig38] mssvcc.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/ O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8D6036B1-DA96-41BC-9FCB-82075D5DE038}: NameServer = 62.6.40.162 194.72.0.98 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe (file missing) O23 - Service: Winkap - Unknown owner - C:\WINDOWS\System32\Winkap.exe (file missing) O23 - Service: Winkiu - Unknown owner - C:\WINDOWS\System32\Winkiu.exe (file missing) What are the last two files? that file name its giving me system32 is the file name i get when i select proerties on my desktop :? |
Not sure about the last two hun, tho you say when you click properties on your desktop you get something about "system32" ??? Can you get me a pic of what you get when you right click on the desktop and select properties?
the line O4 - HKLM\..\Run: [msconfig38] mssvcc.exe is still there, so that needs to be FIX CHECKED then re-scan again with HiJackThis (post a new log file. At this point Kim, I am getting to the end of my registry knowledge ( :cry: ) and there might be something I am missing. Go to this site : http://www.d-a-l.com/help/ , register like you did with PassionFord and start a help topic in the "Windows XP Help" forum. Tell tham what you have told us, and include an uptodate HJT log files (like you have been posting for us. When I had problems I couldn't solve, I did this and there are some UBER geeks on there :cry: that really know their shit and they have saved my ass several times now!!!! Gotta be worth a try ;) Now, before re-installing XP (always a last resort ideally) is your copy registered? On the lappy somewhere you should have a sticker that looks like this; http://www.zodiac.com.hk/zodiac/reso...me_sticker.jpg This should have a long code on it that is the product key licence - you need to make sure your's is actuallt registered otherwise it will come up as a non-genuine version when you try to get updates from Microsofts site... To find out if yours is registered, go to CONTROL PANEL and double click the SYSTEM icon. This should open a small window with your details in it, and look like this; http://www.gwu.edu/~virtual/security.../winver.xp.gif In the second paragraph, REGISTERED TO, should be your details, or the details of the person who had it before you, under the name should be a long number like this; xxxxx-OEM-xxxxxxxx-xxxxx (the x's would actually be numbers lol) If you don't have this then you need to register your copy of XP with Microsoft via the web in order to recieve a validation in order to download updates and patches. You will need your product licence number for this (if you can't see it on the computer, look in the packaging with your discs as it is sometimes in there aswell. Only thing is - I can't remember how to activate/register the licence code :cry: It's been so long since I done it, and I always do it after a fresh install :cry: Someone will know so hold off re-installing for the time being tho babe :) |
that log above is after i removed the file you told me to, so shall i try getting rid of them again?? :(
lol nope theres no code anywhere...will go check my system now cheers hun x :DD: |
Just had a look it says registered to A-User and has a code there :?
now im getting confused!! :cry: |
I am confused aswell - unless it really IS a dodgy copy of Windows and a fake product key (as in, it's a pirate copy with a keygen product key) :? :? :?
|
It could be my laptop was VERY cheap...... :cry: :oops:
|
It might be quicker if you post it to me and I'll sort it :cry:
|
fpmsl if i could i would......you gotta be more trustworthy than PC Fookin World!!!!!!!!!!!!!!!! :cry:
|
| All times are GMT. The time now is 01:27 PM. |
© 2024 MH Sub I, LLC dba Internet Brands