Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - DLivengood


  • Please log in to reply
21 replies to this topic

#1 DLivengood

DLivengood

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:02:37 PM

Posted 05 February 2005 - 06:29 PM

I have run Spybot, AdAware SE, Spyware Blaster and Microsoft AntiSpyware (beta 1) all in Safe Mode. Spybot says it gets rid Of Haxdoor -H, however it continues to return. Ran HijackThis and am attaching log. Thanks for the consideration. :thumbsup:
Logfile of HijackThis v1.99.0
Scan saved at 3:15:56 PM, on 2/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2EDE7FA6-1F43-4813-8FC6-CF5505F5C84B} - C:\WINDOWS\system32\kelm.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\system32\r_server.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 PM

Posted 06 February 2005 - 09:12 PM

Could you please download services.zip from this post and unzip it. Doubleclick on runme.bat and wait for it to finish. It could take a few minutes so please be patient. It should create a srvlook.log file. Please post it back in this thread. The file may be large so you may need to split the log and make a few posts.

Attached Files



#3 DLivengood

DLivengood
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:02:37 PM

Posted 07 February 2005 - 12:39 AM

Thanks for the quick response. Here is the srvlook.log file. As you mentioned, it might take a couple of posts.
A Service_look by IMM (v1.0)

System Info:
Windows XP Home Ed. SP2 (Build 2600)
System Drive: C:\ (NTFS)

number of entries: 55
SERVICE_NAME: ALG
DISPLAY_NAME : Application Layer Gateway Service
BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: AudioSrv
DISPLAY_NAME : Windows Audio
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Browser
DISPLAY_NAME : Computer Browser
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ccEvtMgr
DISPLAY_NAME : Symantec Event Manager
BINARY_PATH_NAME : "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ccPxySvc
DISPLAY_NAME : Symantec Proxy Service
BINARY_PATH_NAME : "C:\Program Files\Norton Personal Firewall\ccPxySvc.exe"
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Creative Service for CDROM Access
DISPLAY_NAME : Creative Service for CDROM Access
BINARY_PATH_NAME : C:\WINDOWS\System32\CTsvcCDA.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: CryptSvc
DISPLAY_NAME : Cryptographic Services
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: DcomLaunch
DISPLAY_NAME : DCOM Server Process Launcher
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k DcomLaunch
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dhcp
DISPLAY_NAME : DHCP Client
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
DISPLAY_NAME : DNS Client
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k NetworkService
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: ERSvc
DISPLAY_NAME : Error Reporting Service
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
DISPLAY_NAME : Event Log
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
DISPLAY_NAME : COM+ Event System
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: FastUserSwitchingCompatibility
DISPLAY_NAME : Fast User Switching Compatibility
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: helpsvc
DISPLAY_NAME : Help and Support
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: iPodService
DISPLAY_NAME : iPod Service
BINARY_PATH_NAME : "C:\Program Files\iPod\bin\iPodService.exe"
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
DISPLAY_NAME : Server
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
DISPLAY_NAME : Workstation
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
DISPLAY_NAME : TCP/IP NetBIOS Helper
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: navapsvc
DISPLAY_NAME : Norton AntiVirus Auto Protect Service
BINARY_PATH_NAME : "C:\Program Files\Norton AntiVirus\navapsvc.exe"
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
DISPLAY_NAME : Network Connections
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NISUM
DISPLAY_NAME : Norton Personal Firewall Accounts Manager
BINARY_PATH_NAME : "C:\Program Files\Norton Personal Firewall\NISUM.EXE"
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Nla
DISPLAY_NAME : Network Location Awareness (NLA)
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NProtectService
DISPLAY_NAME : Norton Unerase Protection
BINARY_PATH_NAME : C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NVSvc
DISPLAY_NAME : NVIDIA Driver Helper Service
BINARY_PATH_NAME : C:\WINDOWS\System32\nvsvc32.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NwSapAgent
DISPLAY_NAME : SAP Agent
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
DISPLAY_NAME : Plug and Play
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Pml Driver HPZ12
DISPLAY_NAME : Pml Driver HPZ12
BINARY_PATH_NAME : C:\WINDOWS\System32\HPZipm12.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
DISPLAY_NAME : IPSEC Services
BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
DISPLAY_NAME : Protected Storage
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
DISPLAY_NAME : Remote Access Connection Manager
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RpcSs
DISPLAY_NAME : Remote Procedure Call (RPC)
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss
SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: SamSs
DISPLAY_NAME : Security Accounts Manager
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Schedule
DISPLAY_NAME : Task Scheduler
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
DISPLAY_NAME : Secondary Logon
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
DISPLAY_NAME : System Event Notification
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
DISPLAY_NAME : Windows Firewall/Internet Connection Sharing (ICS)
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ShellHWDetection
DISPLAY_NAME : Shell Hardware Detection
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
DISPLAY_NAME : Print Spooler
BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: srservice
DISPLAY_NAME : System Restore Service
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SSDPSRV
DISPLAY_NAME : SSDP Discovery Service
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: stisvc
DISPLAY_NAME : Windows Image Acquisition (WIA)
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k imgsvc
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SymWSC
DISPLAY_NAME : SymWMI Service
BINARY_PATH_NAME : "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TapiSrv
DISPLAY_NAME : Telephony
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TermService
DISPLAY_NAME : Terminal Services
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost -k DComLaunch
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Themes
DISPLAY_NAME : Themes
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TrkWks
DISPLAY_NAME : Distributed Link Tracking Client
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: UMWdf
DISPLAY_NAME : Windows User Mode Driver Framework
BINARY_PATH_NAME : C:\WINDOWS\system32\wdfmgr.exe
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: W32Time
DISPLAY_NAME : Windows Time
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WebClient
DISPLAY_NAME : WebClient
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: winmgmt
DISPLAY_NAME : Windows Management Instrumentation
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WMDM PMSP Service
DISPLAY_NAME : WMDM PMSP Service
BINARY_PATH_NAME : C:\WINDOWS\System32\MsPMSPSv.exe
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wscsvc
DISPLAY_NAME : Security Center
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
DISPLAY_NAME : Automatic Updates
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
DISPLAY_NAME : Wireless Zero Configuration
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Browser
DISPLAY_NAME : Wireless Zero Configuration
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_START_NAME: LocalSystem

I Thoink that's it... :thumbsup:

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 PM

Posted 07 February 2005 - 10:43 AM

You sure thats it? Seems a little short? Also what files are being found and identified as Haxdoor?

#5 DLivengood

DLivengood
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:02:37 PM

Posted 07 February 2005 - 02:08 PM

This was the extent of the srvlook.log file. Unfortunately, I am not near my infected computer right now or my notes regarding Haxdoor. It only shows up on Spybot scans. I can "Fix" the entries, however they only reappear. I can send you the details on the suspect files tonight. Thanks

#6 DLivengood

DLivengood
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:02:37 PM

Posted 07 February 2005 - 11:48 PM

Grinler,
Here is the log from my latest Spybot S&D search. There is one entry for Haxdoor and five for DSO exploit. Hope this helps. Thanks...

Cache: Cache (557) (Cache, nothing done)


Common Dialogs: History (2 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Cookie: Cookie (5) (Cookie, nothing done)


DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

Haxdoor-H: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\System\RAdmin\v2.0\Server\Parameters\DisableTrayIcon!=B=0

Internet Explorer: Download directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\Internet Explorer\Download Directory!=

Internet Explorer: URL history #1 (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\Internet Explorer\TypedURLs

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

MS DirectDraw: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=

MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

MS Office 11.0 (Word): Recent file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\Office\11.0\Word\Data\Settings

MS Regedit: Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey!=

RegAlyzer: Last opened key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\PepiMK Software\Analysis tools\RegAlyzer\LastKey!=

Windows Explorer: Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Explorer: Last visited history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: Run history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: User Assistant history files (18 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: User Assistant history IE (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count


--- Spybot - Search && Destroy version: 1.3 ---
2004-11-29 Includes\Cookies.sbi
2005-01-27 Includes\Dialer.sbi
2005-01-27 Includes\Hijackers.sbi
2005-01-11 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2005-01-27 Includes\Malware.sbi
2004-08-11 Includes\plugin-ignore.ini
2004-11-29 Includes\Revision.sbi
2004-11-29 Includes\Security.sbi
2005-01-27 Includes\Spybots.sbi
2004-11-29 Includes\Tracks.uti
2005-01-27 Includes\Trojans.sbi

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 PM

Posted 08 February 2005 - 03:50 PM

I think that registry setting is a false positive. I have it on my home and work pc as well.

You can ignore that. Please post a new log for final review

#8 DLivengood

DLivengood
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:02:37 PM

Posted 08 February 2005 - 10:23 PM

Grinler,
I hope you are right about thefalse positive. That would really be good news. Here is the latest Hijack This log. Thanks for all the help.

One additional question regarding the Spybot S&D log I sent yesterday. What are your thoughts regarding the DSO Exploit registry issues noted?
Do I need to start a new thread regarding that?

Keep up the good work...I appreciate everything! I'm sure there are a lot of users out here that feel the same way. :thumbsup:



Logfile of HijackThis v1.99.0
Scan saved at 7:16:39 PM, on 2/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2EDE7FA6-1F43-4813-8FC6-CF5505F5C84B} - C:\WINDOWS\system32\kelm.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\system32\r_server.exe (file missing)
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 PM

Posted 08 February 2005 - 11:05 PM

Fix these:

Are you using XP Home or Pro?

#10 DLivengood

DLivengood
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:02:37 PM

Posted 08 February 2005 - 11:45 PM

Using XP Home

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 PM

Posted 09 February 2005 - 02:23 PM

On second though, I want to get rid of that reg key. I checked a just installed XP home machine and its not there. Its probably there from the O23 below, but lets be safe.

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop.

REGEDIT4

[- HKEY_LOCAL_MACHINE\System\RAdmin]


Double-click on the fix.reg file you saved on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.

Then fix these entries:


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {2EDE7FA6-1F43-4813-8FC6-CF5505F5C84B} - C:\WINDOWS\system32\kelm.dll (file missing)
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll (file missing)
O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\system32\r_server.exe (file missing)

#12 DLivengood

DLivengood
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:02:37 PM

Posted 10 February 2005 - 12:15 AM

Grinler,
Had no problem with the first part of your instructions.

"Then fix these entries:"...Are you saying to delete these entries? If so, I am not sure how to do that. Can I do it off of the Hijack Log file? This is a lack of PC operator knowledge. Thanks

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 PM

Posted 10 February 2005 - 09:48 AM

Open up hijackthis, click on scan, put a checkmark next to each entries, and then click on fix. Then post a brand new log

#14 DLivengood

DLivengood
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:02:37 PM

Posted 10 February 2005 - 09:29 PM

Grinler, I deleted the entries as directed and here is the latest HJT log. I am also attaching the latest Spybot S&D scan that I ran after the above and rebooting. Seems like the same. Thanks as always.

Logfile of HijackThis v1.99.0
Scan saved at 6:22:46 PM, on 2/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Spybot S&D Scan:

Cache: Cache (774) (Cache, nothing done)


Cookie: Cookie (16) (Cookie, nothing done)


DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

Haxdoor-H: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\System\RAdmin\v2.0\Server\Parameters\DisableTrayIcon!=B=0

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

MS Office 11.0 (Word): Recent file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\Office\11.0\Word\Data\Settings

MS Search Assistant: Typed search terms history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\Search Assistant\ACMru

Windows Explorer: Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Explorer: User Assistant history files (23 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: User Assistant history IE (5 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Media SDK: Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1960408961-412668190-725345543-1004\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName


--- Spybot - Search && Destroy version: 1.3 ---
2004-11-29 Includes\Cookies.sbi
2005-01-27 Includes\Dialer.sbi
2005-01-27 Includes\Hijackers.sbi
2005-01-11 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2005-01-27 Includes\Malware.sbi
2004-08-11 Includes\plugin-ignore.ini
2004-11-29 Includes\Revision.sbi
2004-11-29 Includes\Security.sbi
2005-01-27 Includes\Spybots.sbi
2004-11-29 Includes\Tracks.uti
2005-01-27 Includes\Trojans.sbi

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:37 PM

Posted 10 February 2005 - 11:35 PM

Hi. Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\System

And press enter. You will now be presented with new information. Look for the Radmin key and right click and delete it. Reboot and run spybot again and tell me if that haxdoor line appears again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users