Hijack Or Virus Weird Characters


Recommended Posts

Few things here:

For a couple of months my PC has been quite slow and I noticed a long list of programs running each time I start my PC.

I use Win XP.

My Outlook displays a square shaped sign insted of ' . I've managed to solve this but it comes back to this square shape again...

Can anyone help so that I can find back a normal use of my laptop?

Here is my Hijack This log:

Logfile of HijackThis v1.99.1

Scan saved at 10:25:32 , on 15/06/05

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\SPAMfighter\SFAgent.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\System32\atievxx.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\WINZIP\winzip32.exe

C:\Documents and Settings\Yann A\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 202.155.0.10

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [sPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn200...erInstaller.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103547812896

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Yann.

Link to post
Share on other sites

Hi and Welcome,

Please run this free online scan, tick the autoclean box.

http://housecall.antivirus.com/

Then open HijackThis and click 'Open the Misc Tools section'

Click 'Generate StartupList log'

Notepad will open up, copy all the contents and paste them here.

Also, how long is it taking to startup?

We'll go from there :thumbsup:

B

Link to post
Share on other sites

Hi BT,

Thanks for your help. By runnig the latest version of House Call, I already removed 3 spyware that seemed to be called Cookie 968, Cookie 1887 and Cookie 2513.

Now I still have 14 vulnerabilities and not so sure on what to do for this:

MS01-056, MS01-059, MS02-045, MS03-007, MS03-014, MS03-030, MS03-041, MS03-043, MS04-013, MS04-015, MS04-016, MS04-018, MS04-022 ,MS04-023

Followed your instructions regarding the StartupList log and there it is:

StartupList report, 16/06/05, 21:20:38

StartupList version: 1.52.2

Started from : C:\Documents and Settings\Yann A\Local Settings\Temp\HijackThis.EXE

Detected: Windows XP (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 (6.00.2600.0000)

* Using default options

==================================================

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\SPAMfighter\SFAgent.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\System32\atievxx.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\WINZIP\winzip32.exe

C:\Documents and Settings\Yann A\Local Settings\Temp\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Device Detector = "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

vptray = C:\PROGRA~1\SYMANT~1\VPTray.exe

Error Nuker = C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart

Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

SPAMfighter Agent = "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60

gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

Skype = "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr

drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Disk Cleanup.job

Symantec AntiVirus.job

--------------------------------------------------

Enumerating Download Program Files:

[HouseCall Control]

InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan60.ocx

CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab

[{15589FA1-C456-11CE-BF01-000000000000}]

CODEBASE = http://www.errornuker.com/products/errn200...erInstaller.exe

[shockwave ActiveX Control]

InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[symantec AntiVirus scanner]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll

CODEBASE = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

[Office Update Installation Engine]

InProcServer32 = C:\WINDOWS\opuc.dll

CODEBASE = http://office.microsoft.com/officeupdate/content/opuc2.cab

[WUWebControl Class]

InProcServer32 = C:\WINDOWS\System32\wuweb.dll

CODEBASE = http://v5.windowsupdate.microsoft.com/v5co...b?1103547812896

[symantec RuFSI Utility Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll

CODEBASE = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------

End of report, 6,411 bytes

Report generated in 0.350 seconds

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Thanks for your help...

Yann.

Link to post
Share on other sites

First thing I see right away is that your Operating system and Internet Explorer are both unpatched.

This is a MUST nowadays!!!

You need to get SP2 for XP and IE immediately as there are many vulnerabilities that need to be closed up. Go to Windows Update and get SP2 installed ASAP, it's gonna be a big d'load but you need it.

Link to post
Share on other sites
  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...