ok i have some virus's and cant get rid of them.they are trojan horse clickers and delf downloaders and trojan horse generic.i have loads.i just got them one day and cant get rid of them with nortan,AVG,protecter plus or spyware removal programs.and since yesterday the pc randomly restarts to a blue screen.i cant really see what it says cause its only there for a second or so but it says system shutdown or something.can anyone help?
have you tried to open in safe mode and disconnected from the internet? My friend had a bugger of a dialer, he install Microsoft AntiSpyware Beta and that took care of it. I had a browser highjack that Etrust Ezamor could not get rid. However the Microsoft program did.
Hi Pontius, please try to post a HijackThis log. Instructions ---> http://forums.afterdawn.com/thread_view.cfm/263784 (Steps 3,4,5)
ok here it is Logfile of HijackThis v1.99.1 Scan saved at 3:42:26 AM, on 3/4/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\Program Files\Alias\Maya7.0\docs\wrapper.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\alt.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\BitComet\BitComet.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\DAP\DAP.EXE C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: www.archiviosex.net O15 - Trusted Zone: www.contentcooler.biz O15 - Trusted Zone: www.new-access.biz O15 - Trusted Zone: www.redfunny.com O15 - Trusted Zone: www.skymasters.biz O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx O20 - Winlogon Notify: browsela - c:\windows\system32\browsela.dll O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\o484lelq1hqe.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf (file missing) O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Hi again Pontius. You have two antivirus programs running and it may be one reason for your crashes. You must remove one of them. I suggest that you remove AVG Antivirus especially if you have a licence to Norton. So go to the Control Panel --> Add or remove programs and remove AVG OR Norton. You also have some malware on your computer. Cleaning instructions Disable Microsoft Antispyware (it may hinder the cleaning process. Also check that it is disabled after every restart) 1. Download Delfkill to your desktop -> http://users.telenet.be/marcvn/tools/win32delfkil.exe Do NOT run it yet. 2. Download Look2Me-Destroyer to your desktop -> http://www.atribune.org/ccount/click.php?id=7 Do NOT run it yet. 3. Update Ewido. Do NOT scan yet. 4. Close all windows before proceeding. ->Doubleclick Look2Me-Destroyer.exe to run the program ->Check Run this program as a task option. ->You get a message: "Look2Me-Destroyer will close and re-open in approximately 10 seconds". Click OK ->When Look2Me-Destroyer opens again click Scan for L2M option, your desktop icons will disappear for a seconds but it is normal. ->When scanning is ready, click Remove L2M option. ->When you get the message Done Scanning, click OK. ->When ready you'll get this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, Click OK. ->Your computer will shutdown.. ->Restart your computer. If your firewall alerts about connections to this program, allow those. (IF you get runtime error '339', download MSWINSCK.OCX from the following link and place it to the folder C:\Windows\System32 http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX Try again) 5. Doubleclick windelfkill32.exe file on your desktop. A win32delfkill folder will appear to your desktop. ->Close all windows open win32delfkil folder. Doubleclick fix.bat. Answer yes to any questions. If your computer doesn't restart, restart it 6. Run HijackThis and fix these entries (do a system scan only, check entries, close all other windows, press Fix checked). R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe O15 - Trusted Zone: www.archiviosex.net O15 - Trusted Zone: www.contentcooler.biz O15 - Trusted Zone: www.new-access.biz O15 - Trusted Zone: www.redfunny.com O15 - Trusted Zone: www.skymasters.biz O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab 7. Restart your computer to the safe mode (Press F8 button when computer is starting) 8. Make your hidden files visible: ->On the Tools menu in Windows Explorer, click Folder Options. ->Click the View tab. ->Under Hidden files and folders, click Show hidden files and folders. 9. Delete this file: C:\WINDOWS\-->alt.exe<-- 10. Empty the Recycle Bin 11.Make your hidden files invisible again: ->On the Tools menu in Windows Explorer, click Folder Options. ->Click the View tab. ->Under Hidden files and folders, click Do not show hidden files and folders. 12. Scan yor computer with Ewido and save the log file. 13. Restart your computer normally. 14. Run HijackThis and post its fresh log and Ewido's log and logs from c:\windelf.txt and C:\Look2Me-Destroyer.txt to here so we can see if you computer is now clean. Now you can enable Microsoft Antispyware. You have many programs starting when you start your computer and if you want to make your computer (especially the start) faster, you can fix these entries with HijackThis. O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
You're welcome but please post a fresh HijackThis log and Ewido's log and logs from c:\windelf.txt and C:\Look2Me-Destroyer.txt to here so we can see if you computer is now clean.
i tryed to run Look2Me-Destroyer it wont work.it says component 'mswinsck.ocx' or one of its dependencies not correctly registered:a file is missing or invalid help
Download MSWINSCK.OCX from here to your desktop -> http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX Then place it to the folder C:\Windows\System32 then try again. Then restart your computer to the safe mode and DISABLE your antivirus and firewall and the try to run Look2Me Destroyder again. Then just follow the instructions in my earlier message. When you have reached the end of my instructions and you are about to restart the computer, ENABLE your antivirus and firewall again. Please follow my instructions carefully
ok i ran everything except look 2 me destroyer it wont work.it says it will come back on in 10 sec.but it never does?
Ok, then do this: In normal mode (not in the safe mode) -> Unplug your computer from the internet (unplug your cable) -> Disable Antivirus -> Disable Firewall -> Run Look2Me-Destroyder Then -> Restart you computer -> Enable Firewall -> Enable Antivirus -> Plug your internet cable back ->Post a fresh HijackThis log and Ewido's log and logs from c:\windelf.txt and C:\Look2Me-Destroyer.txt to here so we can see if you computer is now clean.
