i dont really know where to post this log , so im just gonna post it here and if its wrong then sorry. here's the log i got from hijackthis Logfile of HijackThis v1.99.1 Scan saved at 15:10:56, on 20-Nov-06 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE c:\oracle\ora81\bin\ORACLE.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\user\Desktop\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=112406 serial=DR12WEX-1504397-KTY lang=EN O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\INF\norBtok.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\user\Local Settings\Application Data\smss.exe" O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: BTTray.lnk = ? O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{7ABB0EE9-4DCB-4795-8A7C-44F05A10BA00}: NameServer = 195.112.195.34 195.112.195.35 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WLogon - C:\WINDOWS\SYSTEM32\srvc.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: OracleOraHome81Agent - oracle - c:\Oracle\Ora81\bin\dbsnmp.exe O23 - Service: OracleOraHome81AppServerListener - Unknown owner - c:\Oracle\Ora81\ows\4.0\bin\oraweb40.exe O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\Oracle\Ora81\BIN\ONRSD.EXE O23 - Service: OracleOraHome81CMAdmin - Unknown owner - c:\Oracle\Ora81\BIN\CMADMIN.EXE O23 - Service: OracleOraHome81CMan - Unknown owner - c:\Oracle\Ora81\BIN\CMGW.EXE O23 - Service: OracleOraHome81DataGatherer - Unknown owner - c:\Oracle\Ora81\bin\vppdc.exe O23 - Service: OracleServiceOMEGADB1 - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe (file missing) what am i supposed to do next ?
Hello, welcome to aD. Yes, this is the correct place to post your HjT logs. I see 1 worm and 1 downloader showing in your HjT log, but here may be more that we can't see. Before we remove those you need to do something first. You need to get Service Pack 1 for XP. Although SP2 is now out, do [bold]not[/bold] install it until we know you're clean. Both Service Pack have [bold]major[/bold] security updates and patches. Download and install SP1a from here. After you install SP1a and restart, run a scan only with HijackThis, place a check beside these, then click "Fix checked". [bold]O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\INF\norBtok.exe" O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\user\Local Settings\Application Data\smss.exe" O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O20 - Winlogon Notify: WLogon - C:\WINDOWS\SYSTEM32\srvc.dll[/bold] Update AVG Anti-spyware then close it, you will run the scan in safe mode. [bold]Note[/bold]: Print or copy these instructions to Notepad and save them. You will be in safe mode an can't access the internet. Restart your computer in safe mode. (press [bold]F8[/bold] before the Windows load screen, select [bold]Safe Mode[/bold] from the menu then press [bold]Enter[/bold] Show hidden files and folders. Start > Control Panel > Folder Options > View tab > check "Show hidden files and folders". Click Apply, then OK. Locate and delete these files. Some may not be there, I'm listing all the files this worm can copy its self as, just incase they are present. C:\WINDOWS\INF\[bold]norBtok.exe[/bold] C:\WINDOWS\SYSTEM32\[bold]srvc.dll[/bold] C:\Documents and Settings\user\Local Settings\Application Data\[bold]csrss.exe[/bold]* C:\Documents and Settings\user\Local Settings\Application Data\[bold]inetinfo.exe[/bold]* C:\Documents and Settings\user\Local Settings\Application Data\[bold]lsass.exe[/bold]* C:\Documents and Settings\user\Local Settings\Application Data\[bold]services.exe[/bold]* C:\Documents and Settings\user\Local Settings\Application Data\[bold]smss.exe[/bold]* * - These have the same name as legit files in the System32 folder. Do not confuse those with these. Empty the Recycle Bin. Then, run a "Complete scan" with AVGAS. Be sure to click "Save Report" after you delete any files found. Restart in normal mode and post back with the AVGAS report and a new HijackThis log.
