Yann A. Posted June 15, 2005 Report Share Posted June 15, 2005 Few things here:For a couple of months my PC has been quite slow and I noticed a long list of programs running each time I start my PC.I use Win XP.My Outlook displays a square shaped sign insted of ' . I've managed to solve this but it comes back to this square shape again...Can anyone help so that I can find back a normal use of my laptop?Here is my Hijack This log:Logfile of HijackThis v1.99.1Scan saved at 10:25:32 , on 15/06/05Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\ACD Systems\EN\DevDetect.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\SYMANT~1\VPTray.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\SPAMfighter\SFAgent.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Skype\Phone\Skype.exeC:\WINDOWS\System32\atievxx.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\WINZIP\winzip32.exeC:\Documents and Settings\Yann A\Local Settings\Temp\HijackThis.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 202.155.0.10O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorunO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exeO4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostartO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [sPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn200...erInstaller.exeO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103547812896O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dllO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exeO23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exeYann. Quote Link to post Share on other sites
Matt Posted June 15, 2005 Report Share Posted June 15, 2005 ** Please disregard **A side note, you should usually post HJT logs in the HJT forum: http://www.besttechie.net/forums/index.php?showforum=6But in this case it may be ok as your problem may not lie in a hijack Quote Link to post Share on other sites
Besttechie Posted June 16, 2005 Report Share Posted June 16, 2005 Hi and Welcome,Please run this free online scan, tick the autoclean box.http://housecall.antivirus.com/Then open HijackThis and click 'Open the Misc Tools section'Click 'Generate StartupList log'Notepad will open up, copy all the contents and paste them here.Also, how long is it taking to startup?We'll go from there B Quote Link to post Share on other sites
Yann A. Posted June 16, 2005 Author Report Share Posted June 16, 2005 Hi BT,Thanks for your help. By runnig the latest version of House Call, I already removed 3 spyware that seemed to be called Cookie 968, Cookie 1887 and Cookie 2513.Now I still have 14 vulnerabilities and not so sure on what to do for this: MS01-056, MS01-059, MS02-045, MS03-007, MS03-014, MS03-030, MS03-041, MS03-043, MS04-013, MS04-015, MS04-016, MS04-018, MS04-022 ,MS04-023Followed your instructions regarding the StartupList log and there it is:StartupList report, 16/06/05, 21:20:38StartupList version: 1.52.2Started from : C:\Documents and Settings\Yann A\Local Settings\Temp\HijackThis.EXEDetected: Windows XP (WinNT 5.01.2600)Detected: Internet Explorer v6.00 (6.00.2600.0000)* Using default options==================================================Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\ACD Systems\EN\DevDetect.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\SYMANT~1\VPTray.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\SPAMfighter\SFAgent.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Skype\Phone\Skype.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\WINDOWS\System32\atievxx.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exeC:\Program Files\Internet Explorer\iexplore.exeC:\PROGRA~1\WINZIP\winzip32.exeC:\Documents and Settings\Yann A\Local Settings\Temp\HijackThis.exe--------------------------------------------------Listing of startup folders:Shell folders Common Startup:[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeMicrosoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE--------------------------------------------------Checking Windows NT UserInit:[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]UserInit = C:\WINDOWS\system32\userinit.exe,--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\RunDevice Detector = "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorunccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"vptray = C:\PROGRA~1\SYMANT~1\VPTray.exeError Nuker = C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostartZone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeSPAMfighter Agent = "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows\CurrentVersion\Runctfmon.exe = C:\WINDOWS\System32\ctfmon.exeSkype = "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized--------------------------------------------------Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:Shell=*INI section not found*SCRNSAVE.EXE=*INI section not found*drivers=*INI section not found*Shell & screensaver key from Registry:Shell=Explorer.exeSCRNSAVE.EXE=C:\WINDOWS\System32\logon.scrdrivers=*Registry value not found*Policies Shell key:HKCU\..\Policies: Shell=*Registry key not found*HKLM\..\Policies: Shell=*Registry value not found*--------------------------------------------------Enumerating Browser Helper Objects:(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}--------------------------------------------------Enumerating Task Scheduler jobs:Disk Cleanup.jobSymantec AntiVirus.job--------------------------------------------------Enumerating Download Program Files:[HouseCall Control]InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan60.ocxCODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab[{15589FA1-C456-11CE-BF01-000000000000}]CODEBASE = http://www.errornuker.com/products/errn200...erInstaller.exe[shockwave ActiveX Control]InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dllCODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab[symantec AntiVirus scanner]InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dllCODEBASE = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab[Office Update Installation Engine]InProcServer32 = C:\WINDOWS\opuc.dllCODEBASE = http://office.microsoft.com/officeupdate/content/opuc2.cab[WUWebControl Class]InProcServer32 = C:\WINDOWS\System32\wuweb.dllCODEBASE = http://v5.windowsupdate.microsoft.com/v5co...b?1103547812896[symantec RuFSI Utility Class]InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dllCODEBASE = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab[shockwave Flash Object]InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocxCODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab--------------------------------------------------Enumerating ShellServiceObjectDelayLoad items:PostBootReminder: C:\WINDOWS\system32\SHELL32.dllCDBurn: C:\WINDOWS\system32\SHELL32.dllWebCheck: C:\WINDOWS\System32\webcheck.dllSysTray: C:\WINDOWS\System32\stobject.dll--------------------------------------------------End of report, 6,411 bytesReport generated in 0.350 secondsCommand line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history onlyThanks for your help...Yann. Quote Link to post Share on other sites
Chappy Posted June 16, 2005 Report Share Posted June 16, 2005 First thing I see right away is that your Operating system and Internet Explorer are both unpatched.This is a MUST nowadays!!!You need to get SP2 for XP and IE immediately as there are many vulnerabilities that need to be closed up. Go to Windows Update and get SP2 installed ASAP, it's gonna be a big d'load but you need it. Quote Link to post Share on other sites
Yann A. Posted June 25, 2005 Author Report Share Posted June 25, 2005 Thanks you Chappy an BT...I followed both of your advices and my problem seems solved for now.Thanks a lot for your help and passion.Yann. Quote Link to post Share on other sites
Besttechie Posted June 25, 2005 Report Share Posted June 25, 2005 No Prob. Glad we could help. B Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.