******Need to double post to fit EVERYthing in******


Normal:
Logfile of HijackThis v1.99.1
Scan saved at 7:48:03 PM, on 2/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:WINDOWSSystem32igfxtray.exe
C:WINDOWSSystem32hkcmd.exe
Crogram FilesApoint2KApoint.exe
Crogram FilesTOSHIBAPower ManagementCePMTray.exe
Crogram FilesTOSHIBAE-KEYCeEKey.exe
Crogram FilesEzButtonCPLDBL10.EXE
Crogram FilesTOSHIBATouchPadTPTray.exe
C:WINDOWSSystem32ezSP_Px.exe
Crogram FilesCommon FilesSymantec SharedccApp.exe
Crogram FilesMicrosoft AntiSpywaregcasServ.exe
Crogram FilesWebrootSpy SweeperSpySweeper.exe
Crogram FilesMessengermsmsgs.exe
Crogram FilesApoint2KApntex.exe
Crogram FilesMicrosoft AntiSpywaregcasDtServ.exe
Crogram FilesCommon FilesSymantec SharedccEvtMgr.exe
Crogram FilesTOSHIBAPower ManagementCeEPwrSvc.exe
C:WINDOWSSystem32DVDRAMSV.exe
Crogram FilesNorton AntiVirusnavapsvc.exe
Crogram FilesNorton AntiVirusAdvToolsNPROTECT.EXE
C:WINDOWSSystem32alg.exe
C:WINDOWSsystem32wuauclt.exe
C:WINDOWSsystem32taskmgr.exe
C:New FolderHijackThis.exe
Crogram FilesInternet Exploreriexplore.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.google.ca/
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://67.15.70.15/~black/videosex.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Crogram FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - Crogram FilesNorton AntiVirusNavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Crogram FilesNorton AntiVirusNavShExt.dll
O4 - HKLM..Run: [IgfxTray] C:WINDOWSSystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSSystem32hkcmd.exe
O4 - HKLM..Run: [Apoint] Crogram FilesApoint2KApoint.exe
O4 - HKLM..Run: [CeEPOWER] Crogram FilesTOSHIBAPower ManagementCePMTray.exe
O4 - HKLM..Run: [CeEKEY] Crogram FilesTOSHIBAE-KEYCeEKey.exe
O4 - HKLM..Run: [CPLDBL10] Crogram FilesEzButtonCPLDBL10.EXE
O4 - HKLM..Run: [TPNF] Crogram FilesTOSHIBATouchPadTPTray.exe
O4 - HKLM..Run: [ezShieldProtector for Px] C:WINDOWSSystem32ezSP_Px.exe
O4 - HKLM..Run: [ccApp] Crogram FilesCommon FilesSymantec SharedccApp.exe
O4 - HKLM..Run: [ccRegVfy] Crogram FilesCommon FilesSymantec SharedccRegVfy.exe
O4 - HKLM..Run: [Advanced Tools Check] CROGRA~1NORTON~1AdvToolsADVCHK.EXE
O4 - HKLM..Run: [gcasServ] "Crogram FilesMicrosoft AntiSpywaregcasServ.exe"
O4 - HKLM..Run: [*Microsoft Update] wstcl.exe
O4 - HKLM..Run: [Preview AdService] Crogram FilesPreview AdServicePrevAdServ.exe
O4 - HKLM..RunServices: [*Microsoft Update] wstcl.exe
O4 - HKCU..Run: [SpySweeper] "Crogram FilesWebrootSpy SweeperSpySweeper.exe" /0
O4 - HKCU..Run: [MSMSGS] "Crogram FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [*Microsoft Update] wstcl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:WINDOWSSYSTEM32igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - Crogram FilesCommon FilesSymantec SharedccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - Crogram FilesCommon FilesSymantec SharedccPwdSvc.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - Crogram FilesTOSHIBAPower ManagementCeEPwrSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:WINDOWSSystem32DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - Crogram FilesNorton AntiVirusnavapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - Crogram FilesNorton AntiVirusAdvToolsNPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - CROGRA~1COMMON~1SYMANT~1SCRIPT~1SBServ.exe

 

Umm.. Format the harddrive plz.. I guarantee you that everytime you install, you arent NOT formatting the drive.. Best thing to do is create a boot disk (download a boot disk file, google for it) and boot up with it.. Itll put you in dos mode.. Id suggest a debug too.. You can get a de-bug script from google, or msg me on aim and ill walk you through it.. jktntjg = aim... Then just re-partition the drive and format then install windows.. You will have NO problems..

All this spyware programs and adware is USELESS.. Im running XP Pro w/ SP2 and have NO anti-virus or spyware programs.. I have no spyware (yes, I run a check every few months just to see) and I have no virus'.. Its not hard to keep it off of your computer, you just need to stay away from porn, pop-up sites (free webhosting generally) and not be a moron ;/

Also, you dont need any process programs.. All your processes are listed with your Task Manager.. Some you cannot close though because they are protected, so youll need to figure how to get rid of them (safe mode, rename them, delete them)..

 

http://sandbox.norman.no/live_2.html?logfile=100032

Click on a samples "Date" to display its Sandbox analysis.

Report created: 24.02.2005 00:38:32

Automatic Sandbox analysis of unknown malware (W32/Malware)
[ General information ]
* File length: 80496 bytes.

[ Changes to filesystem ]
* Creates file C:WINDOWSSYSTEMwstcl.exe.
* Deletes file 1.

[ Changes to registry ]
* Creates value "*Microsoft Update"="wstcl.exe" in key "HKLMSoftwareMicrosoftWindowsCurrentVersionRun".
* Creates value "*Microsoft Update"="wstcl.exe" in key "HKLMSoftwareMicrosoftWindowsCurrentVersionRunServi ces".
* Creates value "*Microsoft Update"="wstcl.exe" in key "HKLMSoftwareMicrosoftWindowsCurrentVersionpolicies ExplorerRun".
* Creates value "*Microsoft Update"="wstcl.exe" in key "HKCUSoftwareMicrosoftWindowsCurrentVersionRun".
* Creates key "HKCUSoftwareMicrosoftWindowsCurrentVersionPolicies ExplorerRun".
* Sets value "*Microsoft Update"="wstcl.exe" in key "HKCUSoftwareMicrosoftWindowsCurrentVersionPolicies ExplorerRun".
* Creates key "HKLMSystemCurrentControlSetServices*Microsoft Update".
* Sets value "ImagePath"="C:WINDOWSSYSTEMwstcl.exe" in key "HKLMSystemCurrentControlSetServices*Microsoft Update".
* Sets value "DisplayName"="*Microsoft Update" in key "HKLMSystemCurrentControlSetServices*Microsoft Update".
* Sets value "restrictanonymous"="
" in key "HKLMSystemCurrentControlSetControlLsa".

[ Network services ]
* Looks for an Internet connection.
* Connects to "999d38e693b9e6293b450.notsecurebyssl.com" on port 30105 (TCP).
* Sends data stream (29 bytes) to remote address "999d38e693b9e6293b450.notsecurebyssl.com", port 30105.
* Connects to IRC Server.
* Attempts to delete share named "IPC$" on local system.
* Attempts to delete share named "ADMIN$" on local system.
* Attempts to delete share named "C$" on local system.
* Attempts to delete share named "D$" on local system.

[ Process/window information ]
* Creates a mutex wstcl.
* Will automatically restart after boot (I'll be back...).
* Creates service "*Microsoft Update (*Microsoft Update)" as "C:WINDOWSSYSTEMwstcl.exe".


++++++++++++++++++++++++++++++++++++
Get rid of the following entries.

R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://67.15.70.15/~black/videosex.html
O4 - HKLM..Run: [*Microsoft Update] wstcl.exe
O4 - HKLM..RunServices: [*Microsoft Update] wstcl.exe
O4 - HKCU..Run: [*Microsoft Update] wstcl.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
__________________

 

Thanks Random
I used the hijackThis to get rid of those lines but the wstcl.exe came back.
COT DAMN
Fdisk time! firedevil.gif

There's nothing on this cpu anyway.
I suspect this was there before, that's why she had issues.
Guess this was a learning process for me too..
Well thanks guys.

Off to bootdisk time

 

hey man, sorry it took me so long to respond.

here's my series of questions when dealing with spyware:

1. is there anything important on the pc. if the spyware is pretty bad just format/install. then install all updates (including sp2!!!!!) and the microsoft spyware software.

2. if you wanna clean use the new microsoft spyware software + adaware + spybotsd. that will clean about anything. the microsoft program is pretty new but is doing great! just about the only thing around that does a decent job on blocking new stuff.

3. if there is still problems it'll be hard to remove. come back then with a hijack this log. laugh.gif:

 

seriously.... learn Linux, or if u must have Windows, Do Not Use Internet Explorer!! Use firefox... it's better anyways

 

Man, I hope you didnt re-format... there is no need... you can get rid of everything without that 02.gif .

the reason that they are comming back (and multiplying is because the program is in the RUN ONCE portion of the registry (see my post above). Remove that first and then re-run Hijack this and remove all instances. Your log file looked fine besides for the two files you mentioned.

Some people live by re-formatting... but there is nothing that is impossible to manually remove (minus MBR viruses, but they will either corrupt sector 0 of the hard drive (re-format necessary) or norton can take care of it).

 

Yeah.. There is no need to format, if you have the knowledge to get rid of it all yourself, and the time.. Depending how bad it is, it might be faster to format/reinstall.. And if you dont know how to navigate a registry, end processes, and manually get rid of adware/spyware/virus', its easier to format..

Most people cant do those things though...

 

well sometimes formating is the best solution. if it would take you 4 hours to remove all the spyware and in the end you'll have a clean machine but even then your still going to have an old install of windows. usually if it's going to take more than 2 hours to clean the spyware off I just format and install which takes about 1.5 hours. (I've seen some where it was so bad it took 1/2 hour for windows to load) there is no need to fight with it. just protect yourself better next time around.



Definently use firefox, it blocks all active x crap that spyware comes from, plus it works better too!!! anyways with linux... I love linux it's is a great server os and is great for techies. I would never suggest it to someone who wants user friendly. sure some of them (suse, redhat, mandrake) are pretty user friendly. But telling someone to use linux instead to fix spyware is like telling someone to learn to fly a plane to avoid traffic. wink1.gif

 

With Windows, 1.5 hours is just the os install. Figure in all the applications and all the windows / office updates. You just exponentially increased that time.

Looking at his hijack this, the fix would of took 30 mins (including a long startup time tongue.gif