Jump to content


Photo

Don't even know what I'm battling with


  • Please log in to reply
6 replies to this topic

#1 usherer

usherer

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 27 July 2004 - 08:06 AM

Hi,

Would appreciate it if anyone could help me with this.

Sthg keeps shutting down my Internet Explorer. A black dialog box will appear, i think with the title: .../.cmd.exe
And it writes "access denied". They couldnt find the Mediaticketinstaller (something like that)

I have downloaded Spybot/ Hijack This/ Spy Blaster/ Lavasoft Ad-Aware.But the problem continues. Pls help!


Logfile of HijackThis v1.98.0
Scan saved at 8:56:54 PM, on 7/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe
C:\WINDOWS\System32\NAVSCANNER32.EXE
C:\WINDOWS\System32\winsyst32.exe
C:\WINDOWS\System32\navsvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Adware\Ad-aware 6\Ad-aware.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guardian.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [NAVSCANNER32] NAVSCANNER32.EXE
O4 - HKLM\..\Run: [Microsoft Update] navsvc32.exe
O4 - HKLM\..\Run: [Microsoft IT Update] winsyst32.exe
O4 - HKLM\..\Run: [Microsoft Update Loader] dmuvyq.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [NAVSCANNER32] NAVSCANNER32.EXE
O4 - HKLM\..\RunServices: [Microsoft Update] navsvc32.exe
O4 - HKLM\..\RunServices: [Microsoft IT Update] winsyst32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Loader] dmuvyq.exe
O4 - HKCU\..\Run: [NAVSCANNER32] NAVSCANNER32.EXE
O4 - HKCU\..\Run: [Microsoft Update] navsvc32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .m14: C:\Program Files\Modern Age Books\Vbook\NPVbok32.dll
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FF568A1-11F0-450B-A371-419509C065AA}: NameServer = 165.21.83.88 165.21.100.88

#2 discogail

discogail

    "All you need is a gorilla and a dream"

  • Emeritus
  • Pip
  • 86 posts

Posted 27 July 2004 - 08:21 AM

You're "battling" some pretty nasty worms.......w/ all other browser windows closed...& only HijackThis running...check off:

O4 - HKLM\..\Run: [NAVSCANNER32] NAVSCANNER32.EXE
O4 - HKLM\..\Run: [Microsoft Update] navsvc32.exe
O4 - HKLM\..\Run: [Microsoft IT Update] winsyst32.exe
O4 - HKLM\..\Run: [Microsoft Update Loader] dmuvyq.exe
O4 - HKLM\..\RunServices: [NAVSCANNER32] NAVSCANNER32.EXE
O4 - HKLM\..\RunServices: [Microsoft Update] navsvc32.exe
O4 - HKLM\..\RunServices: [Microsoft IT Update] winsyst32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Loader] dmuvyq.exe
O4 - HKCU\..\Run: [NAVSCANNER32] NAVSCANNER32.EXE
O4 - HKCU\..\Run: [Microsoft Update] navsvc32.exe


"Fix Checked"............Reboot to SAFE mode
How to start the computer in Safe mode

Show hidden files and folders-->
Show hidden files & folders
Go to:
C:\WINDOWS\System32 & delete winsyst32.exe..NAVSCANNER32.EXE..navsvc32.exe..dmuvyq.exe
reboot normally...update NAV and run a full scan.

Survey the situation..if you're still having problems...rescan & post a new log into your next reply.

#3 usherer

usherer

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 27 July 2004 - 03:56 PM

Gosh.

I did all of the above --and when I rebooted normally, I was merrily whisked instantly to : http://www.freewebs....mbpea/index.htm

:rofl:

#4 usherer

usherer

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 27 July 2004 - 04:14 PM

(NAV still scanning)

The black box appeared again too..
It kept saying it can't locate the MeidaTicketsInstaller.exe in Downloaded Program Files.

Then it'd appear:
....cmd.exe
Access was denied.

...svchost.exe
Access was denied.
And it goes on.

#5 usherer

usherer

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 27 July 2004 - 04:17 PM

There's an application named "mtu" that keeps appearing despite my repeated deletions.
Anyway here's the newest log. Why are the applications still there? I fixed them as you advised! :gah:

Logfile of HijackThis v1.98.0
Scan saved at 5:15:24 AM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\navsvc32.exe
C:\WINDOWS\System32\NAVSCANNER32.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guardian.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Microsoft Update] navsvc32.exe
O4 - HKLM\..\Run: [NAVSCANNER32] NAVSCANNER32.EXE
O4 - HKLM\..\RunServices: [Microsoft Update] navsvc32.exe
O4 - HKLM\..\RunServices: [NAVSCANNER32] NAVSCANNER32.EXE
O4 - HKCU\..\Run: [Microsoft Update] navsvc32.exe
O4 - HKCU\..\Run: [NAVSCANNER32] NAVSCANNER32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .m14: C:\Program Files\Modern Age Books\Vbook\NPVbok32.dll
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FF568A1-11F0-450B-A371-419509C065AA}: NameServer = 165.21.83.88 165.21.100.88

#6 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 27 July 2004 - 04:19 PM

please post a fresh log.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#7 usherer

usherer

    Member

  • Full Member
  • Pip
  • 24 posts

Posted 27 July 2004 - 04:20 PM

(Sorry. Im so distressed, i need to purge it by keep talking/posting)

I now recall that I couldnt locate the files in Windows\System32 after scanning so I assumed they were gone.

(If this helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button