RSKim

Got me a laptop from my mate, when i got it it was fine, and in a way still is now...

But my desktop picture wont work, Ive constantly got A black screen telling me I've got spyware, I've paid £40 for bloody Norton Anti Virus/Spyware, and it's cleared all the expected virus's it found, and is saying my pc is ok now, but my desktop still has this spyware warning....and I don't know what else to do



I think it happened when I created my own account on the computer...maybe it sees me as a threat because i logged on from a different place?? i dunno, im pritty clueless when it comes to comes

Thrush

iTrader: (1)

Stumped me Kim, not heard of this before!!!

What happens when you right click on the enpty desktop and select PROPERTIES, then click DESKTOP ?

You should see something like this;



Can you do this on yours and tell us what it says, and better still, post a pic like I have?

Also, what happens if you right click on a picture and select SET AS DESTKTOP BACKROUND (or something like that) ?

Here, use this pic and try that, tell me what happens;



Lastly, download and run these;

Ad Aware Personal SE

SpyBot

Both are very good programmes for getting rid of spyware - something that Norton won't typically find... Run em both (one after another) and report back

DanRSturbo

I'd download and run spybot first then try and change your desktop wallpaper

RSKim

Thrush I posted this in General too lol....when i click properties on the desktop it just gives me a general tab, and an url being A file in my c: which i deleted, but nothing happened apart from i got a blank screen now, still wont show my desktop pic no matter how hard i try, the guys in general, say its a virus, but nothing major....gonna go have a look in a min see what i can find

cheers hun

Thrush

iTrader: (1)

Reason I asked is I had a problem like this a while ago, and it wasn't a virus as such, but a pretty malicious spyware problem.

I got a dodgy desktop backround (it was just blank with a web URL on it) but my IE was hijacked and the home page reset, and I couldn't change it no matter how hard I tried.

I ended up going to this forum : www.d-a-l.com who talked me through everything supplied the links for the programmes I needed to run and generally solved my problem for me - superb forum with superb users!

Anyway, first of all, just install and run both Ad-Aware and Spybot (links in my first post) and see how that goes for you.

RSKim

Sounds pritty much like mine apart from I can get onto the web, its just affecting my desktop

RSKim

Its found 16 so far, 14 in my cookies, which presumably will just disappear when I clear them??

And 2 other one in my docs and settings and the other a spyware problem...

dvid

Try a system restore?

RSKim

Done a system restore, its still the same...

Its getting worse now.....im getting a windows explorer error message when i log in, and none of my scroll bar or desktop items appear, i have to ctrl , alt and delete to bring up task manager, log off and log back on again then its ok

BM08

Think it might be time to re-format

RSKim

I'm an idiot when it comes to computers, what does re-formating it include???

Thrush

iTrader: (1)

It means sticking the XP installation disc into it, and wiping the entire laptop and re-installing XP all over again. Unless you back up what you wan't (either on CD-R's or a plug in USB hard drive) you WILL lose everything on the laptop.....

BM08

yep but should sort you out and get back to normal at least and it will probably run better aswell because all the crap will be gone

RSKim

hmmmm might try that......will speak to the mother see what she has done already...

how do I wipe the laptop??

Thrush

iTrader: (1)

As said Kim you need a Windows XP re-installation disc, which you stick in the lappy and it will go into set up mode and guide you through it. You just need to select the re-install option and format the partition where prompted, but it's all pretty much automated so you shouldn't have too much grief

RSKim

pmsl im female thrush

Im sure ill get loads of greif

Is it just the original XP installation disk? As we have one of them, or is it a different re-installation disk?

Thrush

iTrader: (1)

It's the XP one

BM08

yep, whack the xp disc in and its all fool proof as you just click on re-install and click a few buttons.

Yes your female but ive got faith that you can do this

RSKim

Well im gonna have a bash today keep your fingers crossed for me

BM08

Everythings crossed for ya

Turbocabbie

if you still want to solve this issue without re-istalling download hijack this from the following URL and send me the logs or post them in the forum.

http://www.spywareinfo.com/downloads.php?cat=sp#det

I would also NOT suggest reformatting because something caused this issue and you need to resolve it incase it happens again, I mean if you hear an engine knock to do establish what it is or just rebuild ?
The problem with reinstalling is that the assumption is being made that you have all the drivers and software the laptop requires which may not be the case, if the laptop is wireless the native driver support for this in WindowsXP is poor which means you could find yourself without a net conection and issues which still require resolving which makes this harder.

If you want to disucss this or require assistance I would suggest checking out spywareinfo forums alternatively I would be willing to help through ICQ or AOL messenger

BTW norton is horrible, it eats up system resources and performs badly imho

RSKim

Glad i couldnt re-format them

Will follow that link see what it throws up thsanks for your help

RSKim

Logfile of HijackThis v1.99.1
Scan saved at 22:29:16, on 20/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\A User\Local Settings\Temporary Internet Files\Content.IE5\U5KFMTOH\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\System32\intell321.exe
O4 - HKLM\..\Run: [RunSetup] C:\Orange\OrangeConnectionKit\Temp\setup.exe -r
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [msconfig38] mssvcc.exe
O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D6036B1-DA96-41BC-9FCB-82075D5DE038}: NameServer = 194.72.0.98 62.6.40.162
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe (file missing)
O23 - Service: Winkap - Unknown owner - C:\WINDOWS\System32\Winkap.exe (file missing)
O23 - Service: Winkiu - Unknown owner - C:\WINDOWS\System32\Winkiu.exe (file missing)

Thats a long log file

Thrush

iTrader: (1)

Right, for a start I certainly don't like the look of this entry;

O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe

That relates to a "worm" known as W32/Rbot-BJV - W32/Rbot-BJV is a network worm with backdoor functionality for the Windows platform. W32/Rbot-BJV spreads using a variety of techniques including exploiting weak passwords on computers and exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WKS and ASN.1).

W32/Rbot-BJV can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-BJV can be instructed by a remote user to perform the following functions:

start an FTP server
start a Proxy server
take part in distributed denial of service (DDoS) attacks
log keypresses
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)

The worm copies itself to a file named mssvcc.exe in the Windows system folder and creates the following registry entries to run on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msconfig38
mssvcc.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services
msconfig38
mssvcc.exe

But alas all is not lost! Patches for the operating system vulnerabilities exploited by W32/Rbot-BJV can be obtained from Microsoft at:

http://www.microsoft.com/technet/sec.../ms04-011.mspx
http://www.microsoft.com/technet/sec.../MS04-012.mspx
http://www.microsoft.com/technet/sec.../MS03-049.mspx
http://www.microsoft.com/technet/sec.../MS04-007.mspx

RSKim

So what can I do

Can I delete it or, will there be a scan on one of them links to get ri dof it??

I've found out my mate who i got it off, took it into PC World and they said they had deleted all the bad files and viruses...looks like they never did anything

Thrush

iTrader: (1)

You should be able to patch it with the provided links in my post Kim...

RSKim

I had a look but I don't understand what I need to do oh god i feel like a right dumb bint, leave it with me, let me go find a brain and try and use it

Turbocabbie

You also have the remains of past Trojan experiences... the line below

O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe (file missing)

This is indicates a past infection of the W32/Tilebot-FE worm which does the following

# Allows others to access the computer
# Installs itself in the Registry
# Exploits system or software vulnerabilities

Its is also know as Backdoor.Win32.SdBot.xd and W32/Sdbot.worm.gen.g

The multiple infections suggests that your Windows system requires patching or updating !!!

Turbocabbie

LMAO its ok we will try to help in greater detail... this is the bit where you try to understand whats going on, please do not think I am talking down to you.... im trying to explain as simple as I can

------

Your hijack this log has at number 4 the following information :-

O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe

The file mssvcc.exe relates to a "worm" on your computer known as W32/Rbot-BJV

This worm copys itself to the following location on your computer:
• %SYSDIR%\mssvcc.exe
It runs from this location and then deletes itself most of the time.

The worm then needs to run after the machine is restarted in order to infect your computer further and it does this by placing the following information in the Windows registry : (the windows registry is what controls how things run and start on your computer, specific settings and so on)

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "msconfig38"="mssvcc.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services]
• "msconfig38"="mssvcc.exe"

The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Ole]
Old value:
• "EnableDCOM"="%user defined settings%"
New value:
• "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
Old value:
• "restrictanonymous"=dword:%user defined settings%
"restrictanonymoussam"=dword:%user defined settings%
New value:
• "restrictanonymous"=dword:00000001
"restrictanonymoussam"=dword:00000001


In order to ensure its propagation the worm attemps to connect to other machines as described below. (NOTE : This means machines in contact with this laptop through a network enviroment may also be infected)

It drops copies of itself to the following network shares:
• IPC$
• C$
• ADMIN$

It uses the following login information in order to gain access to the remote machine:

– The following list of usernames:
• adm; admin; administrador; administrat; administrateur; administrator;
admins; computer; database; db2; dba; default; guest; oracle; owner;
root; staff; student; teacher; wwwadmin

– The following list of passwords:
• 007; 123; 1234; 12345; 123456; 1234567; 12345678; 123456789;
1234567890; 2000; 2001; 2002; 2003; 2004; access; accounting;
accounts; asd; backup; bill; bitch; blank; bob; brian; changeme;
chris; cisco; compaq; control; data; databasepass; databasepassword;
db1; db1234; db2; dbpass; dbpassword; default; dell; demo; domain;
domainpass; domainpassword; eric; exchange; fred; fuck; george; god;
guest; hell; hello; home; homeuser; ian; ibm; internet; intranet; jen;
joe; john; kate; katie; lan; lee; linux; login; loginpass; luke; mail;
main; mary; mike; neil; nokia; none; null; oem; oeminstall; oemuser;
office; orainstall; outlook; pass; pass1234; passwd; password;
password1; peter; pwd; qaz; qwe; qwerty; root; sam; server; sex;
siemens; slut; sql; sqlpassoainstall; sue; susan; system; technical;
test; unix; user; web; win2000; win2k; win98; windows; winnt; winpass;
winxp; www; zxc

The worm also makes use of the following issues in Windows you need to fix the problems by downloading the updates associated with them, the exploits are described below although not all of them are applicable to your computer. You simply need to download the updates posted by Thrush

– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS03-026 (Buffer Overrun in RPC Interface)
– MS03-039 (Buffer Overrun in RPCSS Service)
– MS03-049 (Buffer Overrun in the Workstation Service)
– MS04-007 (ASN.1 Vulnerability)
– MS04-011 (LSASS Vulnerability)

This worm also has the ability to use your system for attacks on other users in what is called a distributed denial-of-service attack (DDOS), to do this the system has to provide information about itself and present itself for remote control it does this by connecting to the following IRC (Internet Relay Chat) servers :

Server: **********.slateit1703.info
Port: 8080
Channel: #final,#finaldownload
Nickname: USA|%six-digit random character string%
Password: he.he

Server: **********.3071tietals.info
Port: 8080
Channel: #final,#finaldownload
Nickname: USA|%six-digit random character string%
Password: he.he

This worm has the ability to collect and send information such as:
• CPU speed
• Current user
• Details about drivers
• Free disk space
• Free memory
• Malware uptime
• Information about the network
• Size of memory
• Information about the Windows operating system

Furthermore it has the ability to perform actions such as:
• connect to IRC server
• Launch DDoS ICMP flood
• Launch DDoS SYN flood
• Launch DDoS UDP flood
• Disable DCOM
• Disable network shares
• disconnect from IRC server
• Download file
• Enable DCOM
• Enable network shares
• Execute file
• Join IRC channel
• Kill process
• Leave IRC channel
• Open remote shell
• Perform network scan
• Restart system
• Start spreading routine
• Terminate malware
• Updates itself
• Upload file

A backdoor (UDP port 69) onto your system will be created and made available for remote access this is used for a FTP (File Transfer Protocol) server which can be used to upload files to your machine.

If you understand that then we can move onto removing it and all aspects of it... does this help or do I need to go even more simpler... I can

Thrush

iTrader: (1)

Okay Kim - there is an easy way to fix this hun....

Run that HIJACKTHIS programme again till you get the results - don't close it when it has done!!!!

Scroll down the report till you see this entry;

O4 - HKLM\..\RunServices: [msconfig38] mssvcc.exe

highlight this (make sure no other items have a tick next to them) and put a tick in it's box. On the interface of your HIJACK THIS programme you have a button that says FIX CHECKED. Press this. This should remove the item from your PC and sort it out for you.



I would also advise you do the same with the line;

O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe (file missing)

aswell, as already pointed out - it's a left over trojan file....

RSKim

OMG how helpful are you guys, I owe you both BIG time..

Well I had a mess around, AND i went onto the microsoft website, i think it was microsoft that Thrush posted, and checked to see if my windows version was genuine, anbd it is not, so it will not let me get any of the updates....

Now I do have an XP disk, so do I need to re-install a genuine windows programme before I can do any of the above??


UnseenMenace thank you SO much for spending the time writing that out i appreciate it SO much!!!!!!

Will try what you say Thrush, will it let me do this even though I dont have a genuine copy of windows?

I found my brain btw, think I may have been having a bad night the other night!!!

RSKim

Ok I done what you said Thrush, just as I say I cannot load the updates as my windows copy isn't genuine, so do I just now put in my XP disk and install??

I'm still in shock at how helpful you are

UnseenMenace God hun I appreciate you simplifing it for me, I know your not talking down to me hun....its nice that someone is willing to simplify things for the erm lesser knowledged people, or in my case thick bints

Think I understand what you have said, so is it just a case of downloading them updates from microsoft?

Cheers guys xxxxx

RSKim

And this is my log file now:

Logfile of HijackThis v1.99.1
Scan saved at 21:10:58, on 24/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\A User\Local Settings\Temporary Internet Files\Content.IE5\C56JGHE3\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\System32\intell321.exe
O4 - HKLM\..\Run: [RunSetup] C:\Orange\OrangeConnectionKit\Temp\setup.exe -r
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [msconfig38] mssvcc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D6036B1-DA96-41BC-9FCB-82075D5DE038}: NameServer = 62.6.40.162 194.72.0.98
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe (file missing)
O23 - Service: Winkap - Unknown owner - C:\WINDOWS\System32\Winkap.exe (file missing)
O23 - Service: Winkiu - Unknown owner - C:\WINDOWS\System32\Winkiu.exe (file missing)

What are the last two files? that file name its giving me system32 is the file name i get when i select proerties on my desktop

Thrush

iTrader: (1)

Not sure about the last two hun, tho you say when you click properties on your desktop you get something about "system32" ??? Can you get me a pic of what you get when you right click on the desktop and select properties?

the line O4 - HKLM\..\Run: [msconfig38] mssvcc.exe is still there, so that needs to be FIX CHECKED then re-scan again with HiJackThis (post a new log file.

At this point Kim, I am getting to the end of my registry knowledge ( ) and there might be something I am missing.

Go to this site : http://www.d-a-l.com/help/ , register like you did with PassionFord and start a help topic in the "Windows XP Help" forum. Tell tham what you have told us, and include an uptodate HJT log files (like you have been posting for us.

When I had problems I couldn't solve, I did this and there are some UBER geeks on there that really know their shit and they have saved my ass several times now!!!!

Gotta be worth a try

Now, before re-installing XP (always a last resort ideally) is your copy registered? On the lappy somewhere you should have a sticker that looks like this;



This should have a long code on it that is the product key licence - you need to make sure your's is actuallt registered otherwise it will come up as a non-genuine version when you try to get updates from Microsofts site...

To find out if yours is registered, go to CONTROL PANEL and double click the SYSTEM icon. This should open a small window with your details in it, and look like this;



In the second paragraph, REGISTERED TO, should be your details, or the details of the person who had it before you, under the name should be a long number like this;

xxxxx-OEM-xxxxxxxx-xxxxx (the x's would actually be numbers lol)

If you don't have this then you need to register your copy of XP with Microsoft via the web in order to recieve a validation in order to download updates and patches. You will need your product licence number for this (if you can't see it on the computer, look in the packaging with your discs as it is sometimes in there aswell.

Only thing is - I can't remember how to activate/register the licence code It's been so long since I done it, and I always do it after a fresh install

Someone will know so hold off re-installing for the time being tho babe

RSKim

that log above is after i removed the file you told me to, so shall i try getting rid of them again??

lol nope theres no code anywhere...will go check my system now cheers hun x

RSKim

Just had a look it says registered to A-User and has a code there

now im getting confused!!

Thrush

iTrader: (1)

I am confused aswell - unless it really IS a dodgy copy of Windows and a fake product key (as in, it's a pirate copy with a keygen product key)

RSKim

It could be my laptop was VERY cheap......

Thrush

iTrader: (1)

It might be quicker if you post it to me and I'll sort it

RSKim

fpmsl if i could i would......you gotta be more trustworthy than PC Fookin World!!!!!!!!!!!!!!!!