Tech Support Guy banner
Cancel

just reformated, ..been hijacked already?

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 12 of 12 Posts
B

· Registered
Joined
·
33 Posts
Discussion Starter · #1 ·
Hi guys, i just reformated my drive today, but think i have been given a virus or spyware of some sort. im using windowsxp home edition
When i reformated i installed my drivers for graphics card sound card and then i installed my modem, it connected to make sure it was working it must have only been on for like 30 seconds then i disconnected, (this is before ANY windows update and i never had my firewall on) when i disconnected i got a windows message saying another person or program is trying to dial my connection asking if i should let it, it stated xxxtoolbar.com,

I then installed everything i need and all thewindows updates including sp2. Then i was just browsing my computer and seen in my program files a folded titled ***** (sorry for language but you might need to know the exact word)

i certainly never put it there and i dont think its a new addition included in windows update :)
The folder was empty

i deleted it and further browsing i was looking at my system processes in task manager and seen a lot of things that where not there before the reformat , namely, Navprotect.exe im told this is norton anti virus,, but i dont and never have had norton anti virus
I ended the prosses and went to msconfig so i could stop it from starting when i booted up, i unlcliked and rebooted but it was there on start up, i went to services and could not see anything that looks like it could be it(but i dont know what im looking at anyway)

i went back to msconfig and there where now 3 instances of Navprotect.exe all checked, i unchecked them all rebooted but still there is MORE of them now.
Im really confused about all this so i have took a hijack this log and hope you people who actualy know what your talking about can help me as i dont know the first thing about this stuff.
thanks for any help you can give me.

Logfile of HijackThis v1.99.0
Scan saved at 21:24:24, on 13/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\PROGRA~1\BTVOYA~2\oamSender.exe
C:\WINDOWS\system32\navprotect.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Booster] C:\PROGRA~1\BTVOYA~2\oamSender.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAF7C7A9-2B28-4C32-9518-6EFCC7509210}: NameServer = 194.74.65.69 194.72.9.34
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: CTI Central Management - Unknown - C:\WINDOWS\cti.exe
 
Flrman1

· Registered
Joined
·
46,465 Posts
#2 ·
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe

Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete this file:

C:\WINDOWS\system32\navprotect.exe

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.

Empty the Recycle Bin

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

When you are sure you are clean turn it back on and create a restore point.

Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

IMPORTANT!: I see that you do not have an antivirus running or a firewall. If I may so this without being rude, with the net as it is these days it is quite foolish to be without an antivirus and a firewall. By all means get both ASAP!. See This thread for some good free ones.
 
Save Share
B

· Registered
Joined
·
33 Posts
Discussion Starter · #3 ·
hi, first off thanks very much for taking the time to help me.

But unfortunatly i followed the steps you stated and it has not worked, i tried 4 times and everytime i reboot the navprotect.exe is back there waiting for me. I was very carefull that i followed your steps exactly and never left anything out.

Whenever i run hijack this and check and delete the navprotect lines , it asks me if im sure i want to delete them, i click yes, and all seems fine, but the files dont get deleted, if i run hijack this again the files are there everytime, no matter how much i try to delete them.
Is there a way i can try to delete the registry keys manualy?(if indeed these are regkeys cos im a novice remember)

I boot in safe mode, do all the stuff delete navprotect from system32 do the rest of the stuff, then reboot, but again navprotect is always there waiting for me when i reboot, i left the process running there in task manager as i browsed to this page, my internet went very very slow and eventualy i could not load any page up atall, i just got the page 404 error,, as soon as i deleted the process in task manager it went back to normal.

suffice to say im out of my depth here and dont know what i should do?
can you offer any further help?
here is my new hijack log taken just before i ended the navprotect process 5 min ago

Logfile of HijackThis v1.99.0
Scan saved at 23:38:17, on 13/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\PROGRA~1\BTVOYA~2\oamSender.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\navprotect.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Booster] C:\PROGRA~1\BTVOYA~2\oamSender.exe
O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: CTI Central Management - Unknown - C:\WINDOWS\cti.exe

Have you had any run ins with this thing before?, would it have "jacked" me when i was trying my modem for they 30 seconds before i had any windows updates or the windows firewall on?
Google provides nothing but a couple of german pages when i look for Navprotect.exe
 
Flrman1

· Registered
Joined
·
46,465 Posts
#4 ·
click Here and download the the new version of Killbox and save it to your desktop.

Hit the Ctrl + Alt + Del keys simultaneously to bring up the task manager. Click on the Processes tab. Find the navprotect.exe in the list of processes and select it then click the "End Process" button. Dodublecheck to make sure it is stopped.

Double-click on Killbox.exe to run it. Now put a tick by Delete on Reboot. In the "Full Path of File to Delete" box, copy and paste each of the following line then click on the button that has the red circle with the X in the middle. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No.

C:\WINDOWS\system32\navprotect.exe

Now exit the Killbox.

Fix these with Hijack This again:

O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe

Now restart your computer.
 
Save Share
J

· Registered
Joined
·
2 Posts
#5 ·
ok i made sure navprotect.exe was ended then i downloaded killbox to desktop ran it copied the line in and checked delete on next reboot, i hit the red x and confirmed it then i exit and ran hijackthis checked the 2 navprotect lines to be fixed and cliked fix, closed hijack this and rebooted.

Sadly nothing has changed and its all still there, my pc boots up, waits at the desktop i hit cntrl+alt+delete to get task manager up and then my pc kinda stutters as if the its loading the navprotect then windows msng icon apears in my taskbar tray even tho i set it to not be on at start up in msconfig and a process called sman.exe vanishes from the process list and i think navprotect load, this all happend when i press alt+cntrl+delete in the space of like 5 seconds , and i cant tell if navprotect was in the processes from the start or if it got loaded up with the "stutter"

If when my pc reboots, and i dont press alt+cntrl+delete it still "stutters" and load msn messanger icon in the task bar after about 1min.

All this has been like that since my first post in this thread not just since i tried that last thing, forgive me if im not being very insightfull but i cant think of anything else to help you help me :)

So is there anything else i can do?, would it be almost certain that it "got" me when i was connected and opened internet explorer for they 30 secondsbefore i had any updates?,
 
B

· Registered
Joined
·
33 Posts
Discussion Starter · #6 ·
oops sorry for the mix, up but that jinky guy IS me, i must have typed the wrong name in when logging in, this sites keeps logging me out and stuff whenever i change pages
 
M

· Registered
Joined
·
7,525 Posts
#7 ·
Do you know what this entry is?
O23 - Service: CTI Central Management - Unknown - C:\WINDOWS\cti.exe

Find C:\windows\CTI.exe and right click on the file. Click the version tab if there is one and get the details. Post those if there are any.

Also, go here and upload it to have a quick Virus scan run on this file.
http://virusscan.jotti.dhs.org/

Post the results.
 
M

· Registered
Joined
·
7,525 Posts
#8 ·
Also, would you mind sending me a copy of both files please for analysis?
Create a new folder. Copy
navprotect.exe and cti.exe
into the folder. Right click on the folder and choose Send To compressed.

Email the compressed file this will create to me at:
Katie_3232 @hotmail.com

I added an extra space to the email address. Please remove it to allow the email to work. Thanks.
 
B

· Registered
Joined
·
33 Posts
Discussion Starter · #9 ·
hi , there was no version tab for the files, but i uploaded it to the ite you mentioned and it is indeed infected, i copied and pasted the result

Service load: 0% 100%

File: cti.exe
Status: INFECTED/MALWARE
Packers detected: PE_PATCH, MEWBUNDLE, MEW

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.92 seconds taken)
ClamAV No viruses found (0.36 seconds taken)
Dr.Web No viruses found (0.53 seconds taken)
F-Prot Antivirus No viruses found (0.65 seconds taken)
Kaspersky Anti-Virus No viruses found (0.68 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.76 seconds taken)
Norman Virus Control Sandbox: W32/Malware; [ General information ]

* File length: 26112 bytes.

[ Changes to registry ]
* Sets value "Flags"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1001"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1004"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1200"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1201"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1206"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1400"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1402"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1405"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1406"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1407"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1601"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1604"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1605"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1606"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1607"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3". (2.69 seconds taken)

what should i do?

*edit* just seen your second post, there on there way friend
 
M

· Registered
Joined
·
7,525 Posts
#10 ·
Let's try this.

Boot to Safe mode and then clean as flrman1 directed earlier. Then go to start>Run and type services.msc

Press enter.

Find the entry for the Service.
CTI Central Management

Double click on that and it will bring up a properties page. Select Disable next to Startup Type. Then find the cti.exe file in the Windows Directory and delete it. But please first zip it so you can send me a copy. Thanks. So now you have disabled the service and deleted its file.

Use hijackthis to fix the entry for it. (along with what you had already done about navprotect again)
O23 - Service: CTI Central Management - Unknown - C:\WINDOWS\cti.exe

This is cute. It has disabeld any protections you had setup in the Internet Security Zone. Go into Control Panel to Internet Properties. Click the security tab. Be sure the Internet Is highlighted. Click the Custom Level Button. Then reset to Medium.

After you do that restart into regular windows and send me the files please.

Then go here and read and follow the directions to reset your Security zone. GEt the protections too.
http://www.computercops.biz/postt7736.html

Go for free online Virus scans here:

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/

Allow them to clean

Post a new Hijackthis log and also let us know how you did following each step.
 
B

· Registered
Joined
·
33 Posts
Discussion Starter · #11 ·
IT WORKED
I done as you said but it seemed to get fixed before i even got to the bit where i run hijack this as there was none and is none entries in hijack this for CTI or Navprotect.exe
sorry it took so long for a reply but i was just doing all the help mentioned in that link you provided.
i sent you the files, hope you got them.
I am really really REALLY gratefull to you both for your help, you are very kind and very skilled people. My heart sank when i had just reformatted and then seen a folder in my program files calling me a.....you know what lol
I would have been lost without you and you can rest assured that my donation to this site will equal my gratitude to you
This site is truely great
Thanks again and if there is an more info you need from me then just ask

here is my latest HIJACK log
Logfile of HijackThis v1.99.0
Scan saved at 02:28:08, on 14/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\PROGRA~1\BTVOYA~2\oamSender.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Booster] C:\PROGRA~1\BTVOYA~2\oamSender.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAF7C7A9-2B28-4C32-9518-6EFCC7509210}: NameServer = 194.74.65.69 194.72.9.34
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

All the best to you my friends and may the karma be ten fold
 
M

· Registered
Joined
·
7,525 Posts
#12 ·
Thank you. And you're very welcome.

The donation will be appreciated very much. It will help to keep the site up and running.

I sent you a return email when I got the files. Thanks again for sending them. They are malware and will be sent out to the right people.

Your log looks good. Very neat and spare.

I can only imagine how disgusted you were to be infected so quickly. There are lot of predators on the internet making people miserable.

Be sure to get the right protection and keep up to date at Windows Update. A good anti virus and firewall are very important.

The problem is I am not sure if whatever passwords you had on the computer at the time were secure. I am not sure of the nature of these infections. I would change any sensitive information you had on the system if I were you just to be careful.

Keep a close eye on how things go and if there's a problem post again.

Once you are sure everything is in working order, after something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore.


Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.


Good luck,
Mo
 
1 - 12 of 12 Posts
Status
Not open for further replies.
About this Discussion
11 Replies
4 Participants
Last post:
Mosaic1
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top