WARNING! You're in danger... on desktop
-
IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
- Status
1 - 7 of 7 Posts
I have installed and run spybot13, Lavasoft ad-aware and Microsoft AntiSPYware. But it didn't work. And here is my HJT log. Thank you very much for your help.
Logfile of HijackThis v1.99.0
Scan saved at 16:36:23, on 17.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Nokia\Nokia D211\D211CTL.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\lotus\notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ERDOGAN\LOCALS~1\Temp\Geçici Dizin 1 (hijackthis.zip için)\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AB07D8D0-2369-881F-81AF-C71825A24FD7} - C:\WINDOWS\ntrf.dll (file missing)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: (HKLM)
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/45a987d8/enter.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BRISANET.brisa.com.tr
O17 - HKLM\Software\..\Telephony: DomainName = BRISANET.brisa.com.tr
O17 - HKLM\System\CCS\Services\Tcpip\..\{25CC7146-7263-47DB-87FF-CDA0E81DC512}: NameServer = 172.21.1.3,172.21.1.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BRISANET.brisa.com.tr
O23 - Service: AVG6 Service - GRISOFT(c) SOFTWARE s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Nokia D211 - Nokia Corporation - C:\Program Files\Nokia\Nokia D211\D211CTL.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Multi-user Cleanup Service - Unknown - C:\lotus\notes\ntmulti.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\ntlz32.exe (file missing)
Logfile of HijackThis v1.99.0
Scan saved at 16:36:23, on 17.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Nokia\Nokia D211\D211CTL.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\lotus\notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ERDOGAN\LOCALS~1\Temp\Geçici Dizin 1 (hijackthis.zip için)\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AB07D8D0-2369-881F-81AF-C71825A24FD7} - C:\WINDOWS\ntrf.dll (file missing)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: (HKLM)
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/45a987d8/enter.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BRISANET.brisa.com.tr
O17 - HKLM\Software\..\Telephony: DomainName = BRISANET.brisa.com.tr
O17 - HKLM\System\CCS\Services\Tcpip\..\{25CC7146-7263-47DB-87FF-CDA0E81DC512}: NameServer = 172.21.1.3,172.21.1.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BRISANET.brisa.com.tr
O23 - Service: AVG6 Service - GRISOFT(c) SOFTWARE s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Nokia D211 - Nokia Corporation - C:\Program Files\Nokia\Nokia D211\D211CTL.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Multi-user Cleanup Service - Unknown - C:\lotus\notes\ntmulti.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\ntlz32.exe (file missing)
Joined
·
72,209 Posts
Hi cas4858, Welcome to TSG!!
You are running hijackthis from a temporary folder. The backups that hijackthis creates can be accidentally deleted when not in a permanent folder. Please do the following;
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
Post another log with HJT in the permanent folder.
You are running hijackthis from a temporary folder. The backups that hijackthis creates can be accidentally deleted when not in a permanent folder. Please do the following;
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
Post another log with HJT in the permanent folder.
Joined
·
1,137 Posts
Download DelDomains from here:
http://www.mvps.org/winhelp2002/DelDomains.inf
Right-Click and select "Install".
Restart your computer and post a fresh HijackThis log back on this thread.
http://www.mvps.org/winhelp2002/DelDomains.inf
Right-Click and select "Install".
Restart your computer and post a fresh HijackThis log back on this thread.
Joined
·
72,209 Posts
Hi cas4858, I'm sure we have a time zone difference! 
I agree with crushbone, get the DelDomains.inf and install that as well.
Run HJT again and put a check in the following:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {AB07D8D0-2369-881F-81AF-C71825A24FD7} - C:\WINDOWS\ntrf.dll (file missing)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: (HKLM)
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/45a987d8/enter.cab
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\ntlz32.exe (file missing)
Close all applications and browser windows before you click "fix checked".
Reboot and post one more HJT log.
I agree with crushbone, get the DelDomains.inf and install that as well.
Run HJT again and put a check in the following:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {AB07D8D0-2369-881F-81AF-C71825A24FD7} - C:\WINDOWS\ntrf.dll (file missing)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: (HKLM)
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/45a987d8/enter.cab
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\ntlz32.exe (file missing)
Close all applications and browser windows before you click "fix checked".
Reboot and post one more HJT log.
1 - 7 of 7 Posts
- Status
Join the discussion
