Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJack This Log


  • Please log in to reply
6 replies to this topic

#1 paarngboy

paarngboy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 07 July 2005 - 11:24 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:16:06 AM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\javagh32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Digital Logistics\FFServer\ffserver.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\EzButton System V1.0\EzButton.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\Rar$EX00.578\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yeshd.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yeshd.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yeshd.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yeshd.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yeshd.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yeshd.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = PumpDaddy's Machine!!!
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {4CC8DECC-7DCA-E875-75C1-B100A01F27B2} - C:\WINDOWS\javacw.dll
O2 - BHO: Class - {5A46A228-4AD2-6394-AAB4-A2F5E5B258F9} - C:\WINDOWS\system32\mfcja.dll
O2 - BHO: Class - {5FFCA022-FA50-3120-C21F-E6C00C517716} - C:\WINDOWS\d3nx32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {B05A22DA-B316-63E6-EBAC-E28575AC375C} - C:\WINDOWS\system32\javagh32.dll
O2 - BHO: Class - {D1B08BEF-61F3-13A0-6BCC-CB7E58770653} - C:\WINDOWS\netsr32.dll
O2 - BHO: Class - {E57CF4E2-608E-1F55-6A8B-10D3B7AD07E2} - C:\WINDOWS\system32\syspu32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [sysbn.exe] C:\WINDOWS\sysbn.exe
O4 - HKLM\..\Run: [javagh32.exe] C:\WINDOWS\system32\javagh32.exe
O4 - HKLM\..\RunOnce: [apiaw.exe] C:\WINDOWS\system32\apiaw.exe
O4 - HKLM\..\RunOnce: [ipwe.exe] C:\WINDOWS\ipwe.exe
O4 - HKLM\..\RunOnce: [appcj.exe] C:\WINDOWS\appcj.exe
O4 - HKLM\..\RunOnce: [netrd32.exe] C:\WINDOWS\netrd32.exe
O4 - HKLM\..\RunOnce: [appyb.exe] C:\WINDOWS\appyb.exe
O4 - HKLM\..\RunOnce: [javacp32.exe] C:\WINDOWS\system32\javacp32.exe
O4 - HKLM\..\RunOnce: [javail.exe] C:\WINDOWS\javail.exe
O4 - HKLM\..\RunOnce: [msuh32.exe] C:\WINDOWS\system32\msuh32.exe
O4 - HKLM\..\RunOnce: [ieep.exe] C:\WINDOWS\ieep.exe
O4 - HKLM\..\RunOnce: [apidl32.exe] C:\WINDOWS\apidl32.exe
O4 - HKLM\..\RunOnce: [sysjn.exe] C:\WINDOWS\system32\sysjn.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: EzButton System.lnk = C:\Program Files\EzButton System V1.0\EzButton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FFServer.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O15 - Trusted Zone: *.ngb.army.mil
O15 - Trusted Zone: *.us.army.mil
O15 - Trusted Zone: webmail.us.army.mil
O15 - Trusted Zone: *.army.mil
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1503C25F-EB14-4633-91C1-6EB014FC7869} (ExcelExport.XLExport) - https://minuteman.ngb.army.mil/Components/ExcelExport.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120781420282
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - https://55.194.30.152/Components/iemenu.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\apiaw.exe" /s (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

BC AdBot (Login to Remove)

 


#2 paarngboy

paarngboy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 09 July 2005 - 06:43 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:40:07 AM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\d3ic32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\EzButton System V1.0\EzButton.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hhepn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hhepn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hhepn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hhepn.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hhepn.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hhepn.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = PumpDaddy's Machine!!!
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {60EFCCA1-458B-A0A8-3708-42761B9E5AF9} - C:\WINDOWS\appbi.dll
O2 - BHO: Class - {738EC750-816A-9FA3-63DE-FC5C0C463F0A} - C:\WINDOWS\system32\appwf32.dll
O2 - BHO: Class - {A3DBF987-3149-B4CE-378C-729E03F10374} - C:\WINDOWS\system32\atlib32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {B81896EA-E0AA-92AA-BF67-14B1C8C5A7E4} - C:\WINDOWS\system32\ntid.dll
O2 - BHO: Class - {C4EC47BB-C702-C3BE-E914-9A99E52401E8} - C:\WINDOWS\nttm.dll
O2 - BHO: Class - {E6543B49-6B99-B8A7-BC93-CFC5A94E0928} - C:\WINDOWS\system32\msdi32.dll
O2 - BHO: Class - {F3E905BD-8C63-2844-6318-F249B127F566} - C:\WINDOWS\atlyg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [d3ic32.exe] C:\WINDOWS\d3ic32.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\RunOnce: [apiaw.exe] C:\WINDOWS\apiaw.exe
O4 - HKLM\..\RunOnce: [mszg32.exe] C:\WINDOWS\system32\mszg32.exe
O4 - HKLM\..\RunOnce: [appbi.exe] C:\WINDOWS\appbi.exe
O4 - HKLM\..\RunOnce: [winqf.exe] C:\WINDOWS\winqf.exe
O4 - HKLM\..\RunOnce: [crdh32.exe] C:\WINDOWS\system32\crdh32.exe
O4 - HKLM\..\RunOnce: [apiae32.exe] C:\WINDOWS\system32\apiae32.exe
O4 - HKLM\..\RunOnce: [winng.exe] C:\WINDOWS\system32\winng.exe
O4 - HKLM\..\RunOnce: [d3dp32.exe] C:\WINDOWS\d3dp32.exe
O4 - HKLM\..\RunOnce: [netis32.exe] C:\WINDOWS\system32\netis32.exe
O4 - HKLM\..\RunOnce: [sysiu32.exe] C:\WINDOWS\sysiu32.exe
O4 - HKLM\..\RunOnce: [sdknw.exe] C:\WINDOWS\sdknw.exe
O4 - HKLM\..\RunOnce: [ntww.exe] C:\WINDOWS\system32\ntww.exe
O4 - HKLM\..\RunOnce: [appbq.exe] C:\WINDOWS\system32\appbq.exe
O4 - HKLM\..\RunOnce: [iell.exe] C:\WINDOWS\iell.exe
O4 - HKLM\..\RunOnce: [crba32.exe] C:\WINDOWS\crba32.exe
O4 - HKLM\..\RunOnce: [d3um.exe] C:\WINDOWS\system32\d3um.exe
O4 - HKLM\..\RunOnce: [winqq32.exe] C:\WINDOWS\system32\winqq32.exe
O4 - HKLM\..\RunOnce: [ieaq.exe] C:\WINDOWS\system32\ieaq.exe
O4 - HKLM\..\RunOnce: [iefn32.exe] C:\WINDOWS\system32\iefn32.exe
O4 - HKLM\..\RunOnce: [ieuk32.exe] C:\WINDOWS\ieuk32.exe
O4 - HKLM\..\RunOnce: [ntzg32.exe] C:\WINDOWS\system32\ntzg32.exe
O4 - HKLM\..\RunOnce: [syscs32.exe] C:\WINDOWS\syscs32.exe
O4 - HKLM\..\RunOnce: [appgw.exe] C:\WINDOWS\appgw.exe
O4 - HKLM\..\RunOnce: [ipwh.exe] C:\WINDOWS\system32\ipwh.exe
O4 - HKLM\..\RunOnce: [d3mu32.exe] C:\WINDOWS\system32\d3mu32.exe
O4 - HKLM\..\RunOnce: [iefo32.exe] C:\WINDOWS\system32\iefo32.exe
O4 - HKLM\..\RunOnce: [ntkk32.exe] C:\WINDOWS\ntkk32.exe
O4 - HKLM\..\RunOnce: [sysfw.exe] C:\WINDOWS\system32\sysfw.exe
O4 - HKLM\..\RunOnce: [crji.exe] C:\WINDOWS\crji.exe
O4 - HKLM\..\RunOnce: [sdktg.exe] C:\WINDOWS\sdktg.exe
O4 - HKLM\..\RunOnce: [ipcg.exe] C:\WINDOWS\system32\ipcg.exe
O4 - HKLM\..\RunOnce: [msrd.exe] C:\WINDOWS\msrd.exe
O4 - HKLM\..\RunOnce: [apimn32.exe] C:\WINDOWS\system32\apimn32.exe
O4 - HKLM\..\RunOnce: [msmn.exe] C:\WINDOWS\system32\msmn.exe
O4 - HKLM\..\RunOnce: [javaqz.exe] C:\WINDOWS\system32\javaqz.exe
O4 - HKLM\..\RunOnce: [ipax.exe] C:\WINDOWS\ipax.exe
O4 - HKLM\..\RunOnce: [netjy32.exe] C:\WINDOWS\system32\netjy32.exe
O4 - HKLM\..\RunOnce: [apixu.exe] C:\WINDOWS\apixu.exe
O4 - HKLM\..\RunOnce: [netdr.exe] C:\WINDOWS\system32\netdr.exe
O4 - HKLM\..\RunOnce: [sysqo.exe] C:\WINDOWS\sysqo.exe
O4 - HKLM\..\RunOnce: [ipdz.exe] C:\WINDOWS\system32\ipdz.exe
O4 - HKLM\..\RunOnce: [mfcso.exe] C:\WINDOWS\system32\mfcso.exe
O4 - HKLM\..\RunOnce: [syslh32.exe] C:\WINDOWS\system32\syslh32.exe
O4 - HKLM\..\RunOnce: [addws.exe] C:\WINDOWS\addws.exe
O4 - HKLM\..\RunOnce: [sdkkx32.exe] C:\WINDOWS\sdkkx32.exe
O4 - HKLM\..\RunOnce: [d3je.exe] C:\WINDOWS\d3je.exe
O4 - HKLM\..\RunOnce: [winfi32.exe] C:\WINDOWS\system32\winfi32.exe
O4 - HKLM\..\RunOnce: [ieoj.exe] C:\WINDOWS\ieoj.exe
O4 - HKLM\..\RunOnce: [iecg32.exe] C:\WINDOWS\system32\iecg32.exe
O4 - HKLM\..\RunOnce: [ieic32.exe] C:\WINDOWS\ieic32.exe
O4 - HKLM\..\RunOnce: [ntnz32.exe] C:\WINDOWS\ntnz32.exe
O4 - HKLM\..\RunOnce: [sysqk32.exe] C:\WINDOWS\sysqk32.exe
O4 - HKLM\..\RunOnce: [appvp.exe] C:\WINDOWS\system32\appvp.exe
O4 - HKLM\..\RunOnce: [winwp32.exe] C:\WINDOWS\winwp32.exe
O4 - HKLM\..\RunOnce: [winkm32.exe] C:\WINDOWS\system32\winkm32.exe
O4 - HKLM\..\RunOnce: [javapi32.exe] C:\WINDOWS\system32\javapi32.exe
O4 - HKLM\..\RunOnce: [winsc32.exe] C:\WINDOWS\system32\winsc32.exe
O4 - HKLM\..\RunOnce: [atlxy.exe] C:\WINDOWS\atlxy.exe
O4 - HKLM\..\RunOnce: [appyh32.exe] C:\WINDOWS\system32\appyh32.exe
O4 - HKLM\..\RunOnce: [addmv32.exe] C:\WINDOWS\addmv32.exe
O4 - HKLM\..\RunOnce: [d3ra.exe] C:\WINDOWS\d3ra.exe
O4 - HKLM\..\RunOnce: [sdkve.exe] C:\WINDOWS\sdkve.exe
O4 - HKLM\..\RunOnce: [crog.exe] C:\WINDOWS\crog.exe
O4 - HKLM\..\RunOnce: [atlol32.exe] C:\WINDOWS\system32\atlol32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: EzButton System.lnk = C:\Program Files\EzButton System V1.0\EzButton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_30.dll' missing
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O15 - Trusted Zone: *.ngb.army.mil
O15 - Trusted Zone: *.us.army.mil
O15 - Trusted Zone: webmail.us.army.mil
O15 - Trusted Zone: *.army.mil
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {1503C25F-EB14-4633-91C1-6EB014FC7869} (ExcelExport.XLExport) - https://minuteman.ngb.army.mil/Components/ExcelExport.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093641947003
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - https://55.194.30.152/Components/iemenu.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\apiaw.exe" /s (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:47 AM

Posted 09 July 2005 - 11:26 AM

Download cwshredder 2.12 from here:

http://cwshredder.net/bin/CWShredder.exe

Run the file after it is downloaded and click on the fix button. Let it do its thing and when its done, even if it crashes.

When its done run hijackthis again post a new log

#4 paarngboy

paarngboy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 09 July 2005 - 01:30 PM

Okay..thanks for replying. Here is my log after running CWShredder.

Logfile of HijackThis v1.99.1
Scan saved at 2:26:29 PM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\EzButton System V1.0\EzButton.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = PumpDaddy's Machine!!!
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\RunOnce: [apiaw.exe] C:\WINDOWS\system32\apiaw.exe
O4 - HKLM\..\RunOnce: [mszg32.exe] C:\WINDOWS\system32\mszg32.exe
O4 - HKLM\..\RunOnce: [appbi.exe] C:\WINDOWS\appbi.exe
O4 - HKLM\..\RunOnce: [winqf.exe] C:\WINDOWS\winqf.exe
O4 - HKLM\..\RunOnce: [crdh32.exe] C:\WINDOWS\system32\crdh32.exe
O4 - HKLM\..\RunOnce: [apiae32.exe] C:\WINDOWS\system32\apiae32.exe
O4 - HKLM\..\RunOnce: [winng.exe] C:\WINDOWS\system32\winng.exe
O4 - HKLM\..\RunOnce: [d3dp32.exe] C:\WINDOWS\d3dp32.exe
O4 - HKLM\..\RunOnce: [netis32.exe] C:\WINDOWS\system32\netis32.exe
O4 - HKLM\..\RunOnce: [sysiu32.exe] C:\WINDOWS\sysiu32.exe
O4 - HKLM\..\RunOnce: [sdknw.exe] C:\WINDOWS\sdknw.exe
O4 - HKLM\..\RunOnce: [ntww.exe] C:\WINDOWS\system32\ntww.exe
O4 - HKLM\..\RunOnce: [appbq.exe] C:\WINDOWS\system32\appbq.exe
O4 - HKLM\..\RunOnce: [iell.exe] C:\WINDOWS\iell.exe
O4 - HKLM\..\RunOnce: [crba32.exe] C:\WINDOWS\crba32.exe
O4 - HKLM\..\RunOnce: [d3um.exe] C:\WINDOWS\system32\d3um.exe
O4 - HKLM\..\RunOnce: [winqq32.exe] C:\WINDOWS\system32\winqq32.exe
O4 - HKLM\..\RunOnce: [ieaq.exe] C:\WINDOWS\system32\ieaq.exe
O4 - HKLM\..\RunOnce: [iefn32.exe] C:\WINDOWS\system32\iefn32.exe
O4 - HKLM\..\RunOnce: [ieuk32.exe] C:\WINDOWS\ieuk32.exe
O4 - HKLM\..\RunOnce: [ntzg32.exe] C:\WINDOWS\system32\ntzg32.exe
O4 - HKLM\..\RunOnce: [syscs32.exe] C:\WINDOWS\syscs32.exe
O4 - HKLM\..\RunOnce: [appgw.exe] C:\WINDOWS\appgw.exe
O4 - HKLM\..\RunOnce: [ipwh.exe] C:\WINDOWS\system32\ipwh.exe
O4 - HKLM\..\RunOnce: [d3mu32.exe] C:\WINDOWS\system32\d3mu32.exe
O4 - HKLM\..\RunOnce: [iefo32.exe] C:\WINDOWS\system32\iefo32.exe
O4 - HKLM\..\RunOnce: [ntkk32.exe] C:\WINDOWS\ntkk32.exe
O4 - HKLM\..\RunOnce: [sysfw.exe] C:\WINDOWS\system32\sysfw.exe
O4 - HKLM\..\RunOnce: [crji.exe] C:\WINDOWS\crji.exe
O4 - HKLM\..\RunOnce: [sdktg.exe] C:\WINDOWS\sdktg.exe
O4 - HKLM\..\RunOnce: [ipcg.exe] C:\WINDOWS\system32\ipcg.exe
O4 - HKLM\..\RunOnce: [msrd.exe] C:\WINDOWS\msrd.exe
O4 - HKLM\..\RunOnce: [apimn32.exe] C:\WINDOWS\system32\apimn32.exe
O4 - HKLM\..\RunOnce: [msmn.exe] C:\WINDOWS\system32\msmn.exe
O4 - HKLM\..\RunOnce: [javaqz.exe] C:\WINDOWS\system32\javaqz.exe
O4 - HKLM\..\RunOnce: [ipax.exe] C:\WINDOWS\ipax.exe
O4 - HKLM\..\RunOnce: [netjy32.exe] C:\WINDOWS\system32\netjy32.exe
O4 - HKLM\..\RunOnce: [apixu.exe] C:\WINDOWS\apixu.exe
O4 - HKLM\..\RunOnce: [netdr.exe] C:\WINDOWS\system32\netdr.exe
O4 - HKLM\..\RunOnce: [sysqo.exe] C:\WINDOWS\sysqo.exe
O4 - HKLM\..\RunOnce: [ipdz.exe] C:\WINDOWS\system32\ipdz.exe
O4 - HKLM\..\RunOnce: [mfcso.exe] C:\WINDOWS\system32\mfcso.exe
O4 - HKLM\..\RunOnce: [syslh32.exe] C:\WINDOWS\system32\syslh32.exe
O4 - HKLM\..\RunOnce: [addws.exe] C:\WINDOWS\addws.exe
O4 - HKLM\..\RunOnce: [sdkkx32.exe] C:\WINDOWS\sdkkx32.exe
O4 - HKLM\..\RunOnce: [d3je.exe] C:\WINDOWS\d3je.exe
O4 - HKLM\..\RunOnce: [winfi32.exe] C:\WINDOWS\system32\winfi32.exe
O4 - HKLM\..\RunOnce: [ieoj.exe] C:\WINDOWS\ieoj.exe
O4 - HKLM\..\RunOnce: [iecg32.exe] C:\WINDOWS\system32\iecg32.exe
O4 - HKLM\..\RunOnce: [ieic32.exe] C:\WINDOWS\ieic32.exe
O4 - HKLM\..\RunOnce: [ntnz32.exe] C:\WINDOWS\ntnz32.exe
O4 - HKLM\..\RunOnce: [sysqk32.exe] C:\WINDOWS\sysqk32.exe
O4 - HKLM\..\RunOnce: [appvp.exe] C:\WINDOWS\system32\appvp.exe
O4 - HKLM\..\RunOnce: [winwp32.exe] C:\WINDOWS\winwp32.exe
O4 - HKLM\..\RunOnce: [winkm32.exe] C:\WINDOWS\system32\winkm32.exe
O4 - HKLM\..\RunOnce: [javapi32.exe] C:\WINDOWS\system32\javapi32.exe
O4 - HKLM\..\RunOnce: [winsc32.exe] C:\WINDOWS\system32\winsc32.exe
O4 - HKLM\..\RunOnce: [atlxy.exe] C:\WINDOWS\atlxy.exe
O4 - HKLM\..\RunOnce: [appyh32.exe] C:\WINDOWS\system32\appyh32.exe
O4 - HKLM\..\RunOnce: [addmv32.exe] C:\WINDOWS\addmv32.exe
O4 - HKLM\..\RunOnce: [d3ra.exe] C:\WINDOWS\d3ra.exe
O4 - HKLM\..\RunOnce: [sdkve.exe] C:\WINDOWS\sdkve.exe
O4 - HKLM\..\RunOnce: [crog.exe] C:\WINDOWS\crog.exe
O4 - HKLM\..\RunOnce: [atlol32.exe] C:\WINDOWS\system32\atlol32.exe
O4 - HKLM\..\RunOnce: [ntmb.exe] C:\WINDOWS\system32\ntmb.exe
O4 - HKLM\..\RunOnce: [appmo32.exe] C:\WINDOWS\system32\appmo32.exe
O4 - HKLM\..\RunOnce: [d3fi.exe] C:\WINDOWS\d3fi.exe
O4 - HKLM\..\RunOnce: [atloq.exe] C:\WINDOWS\atloq.exe
O4 - HKLM\..\RunOnce: [appws.exe] C:\WINDOWS\appws.exe
O4 - HKLM\..\RunOnce: [ntoz32.exe] C:\WINDOWS\ntoz32.exe
O4 - HKLM\..\RunOnce: [mfcpd.exe] C:\WINDOWS\mfcpd.exe
O4 - HKLM\..\RunOnce: [ipgt32.exe] C:\WINDOWS\ipgt32.exe
O4 - HKLM\..\RunOnce: [apihh.exe] C:\WINDOWS\apihh.exe
O4 - HKLM\..\RunOnce: [atldl32.exe] C:\WINDOWS\system32\atldl32.exe
O4 - HKLM\..\RunOnce: [javatj.exe] C:\WINDOWS\javatj.exe
O4 - HKLM\..\RunOnce: [crct.exe] C:\WINDOWS\crct.exe
O4 - HKLM\..\RunOnce: [appmz32.exe] C:\WINDOWS\appmz32.exe
O4 - HKLM\..\RunOnce: [apiqd32.exe] C:\WINDOWS\system32\apiqd32.exe
O4 - HKLM\..\RunOnce: [ntef32.exe] C:\WINDOWS\ntef32.exe
O4 - HKLM\..\RunOnce: [appxy32.exe] C:\WINDOWS\appxy32.exe
O4 - HKLM\..\RunOnce: [atlxg32.exe] C:\WINDOWS\atlxg32.exe
O4 - HKLM\..\RunOnce: [winbq.exe] C:\WINDOWS\system32\winbq.exe
O4 - HKLM\..\RunOnce: [atlur32.exe] C:\WINDOWS\atlur32.exe
O4 - HKLM\..\RunOnce: [ipkz.exe] C:\WINDOWS\system32\ipkz.exe
O4 - HKLM\..\RunOnce: [crgd.exe] C:\WINDOWS\system32\crgd.exe
O4 - HKLM\..\RunOnce: [sysyw32.exe] C:\WINDOWS\system32\sysyw32.exe
O4 - HKLM\..\RunOnce: [apppl.exe] C:\WINDOWS\system32\apppl.exe
O4 - HKLM\..\RunOnce: [netth32.exe] C:\WINDOWS\system32\netth32.exe
O4 - HKLM\..\RunOnce: [crxz32.exe] C:\WINDOWS\system32\crxz32.exe
O4 - HKLM\..\RunOnce: [ipvo.exe] C:\WINDOWS\ipvo.exe
O4 - HKLM\..\RunOnce: [addze32.exe] C:\WINDOWS\addze32.exe
O4 - HKLM\..\RunOnce: [netpx32.exe] C:\WINDOWS\system32\netpx32.exe
O4 - HKLM\..\RunOnce: [neteu32.exe] C:\WINDOWS\neteu32.exe
O4 - HKLM\..\RunOnce: [winjq32.exe] C:\WINDOWS\system32\winjq32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: EzButton System.lnk = C:\Program Files\EzButton System V1.0\EzButton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_30.dll' missing
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O15 - Trusted Zone: *.ngb.army.mil
O15 - Trusted Zone: *.us.army.mil
O15 - Trusted Zone: webmail.us.army.mil
O15 - Trusted Zone: *.army.mil
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {1503C25F-EB14-4633-91C1-6EB014FC7869} (ExcelExport.XLExport) - https://minuteman.ngb.army.mil/Components/ExcelExport.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093641947003
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - https://55.194.30.152/Components/iemenu.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:47 AM

Posted 09 July 2005 - 05:07 PM

Lets try this method:

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
  • Prepare CWShredder for use:
    • Download CWShredder.
    • Save CWShredder.exe to a convenient location.
    • Please do not do anything with it yet.
  • Prepare AboutBuster for use:
    • Download AboutBuster.
    • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
    • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
    • Click "OK" at the prompt with instructions.
    • Click "Update" and then "Check For Update" to begin the update process.
    • If any updates exist please download them by clicking "Download Update".
    • You should not run the program yet so click "Exit".
  • Prepare cwsserviceremove.reg for use:
    • Download cwsserviceremove.zip.
    • Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.
    • Please do not do anything with it yet.
Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.
  • Run CWShredder:
    • Double-click on CWShredder.exe.
    • Click "Fix ->" and click "OK" at the prompt.
    • CWShredder will scan and clean your system of CWS files.
    • Click "Next->" and then "Exit".
  • Remove the offending service:
    • Double-click on cwsserviceremove.reg you downloaded earlier.
    • When it asks you to merge the information to the registry click "Yes".
  • Run AboutBuster and save the logs:
    • Browse to where you saved AboutBuster and run AboutBuster.exe.
    • Click OK at the directions prompt.
    • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
    • Click Yes to allow it to shutdown explorer.exe.
    • It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
    • When it has finished, click Save Log. Make sure you save it as I need a copy of it.
  • Clean out temporary files:
    • Start | Run | type cleanmgr | OK
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Click "OK" to remove them.
    • Click "Yes" to confirm the deletion.
  • Restart your computer normally to return to normal mode.
  • Free TrendMicro Housecall scan:
    • Vist the TrendMicro Housecall website.
    • Select your country from the drop-down list and click "Go".
    • Choose "Yes" at the ActiveX Security Warning prompt.
    • Please wait while the Housecall engine is updated.
    • Select the drives to be scanned by placing a check in their respective boxes.
    • Check the "Auto Clean" box.
    • Click "SCAN" in order to begin scanning your system.
    • Please be patient while Housecall scans your system for malicious files.
    • If not auto-cleaned, remove anything it finds.
    • Click "Close" to exit the Housecall scanner.
    • Choose "Yes" at the HouseCall message prompt.
  • Prepare your reply:
    • Please post a fresh HijackThis log
    • Please post the AboutBuster log.
    • Please note any complications you had.


#6 paarngboy

paarngboy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 09 July 2005 - 06:08 PM

I booted back into normal mode, connected to trendmicro housecall and I kept getting an error and it shutdown. I also lost the scroll on my mouse. I hate CWS!


Logfile of HijackThis v1.99.1
Scan saved at 6:59:46 PM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\d3ic32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EzButton System V1.0\EzButton.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\izdot.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\izdot.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\izdot.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\izdot.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\izdot.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\izdot.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = PumpDaddy's Machine!!!
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {9E10B616-D6A4-32D5-95E7-6F227792C942} - C:\WINDOWS\d3ky.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [d3ic32.exe] C:\WINDOWS\d3ic32.exe
O4 - HKLM\..\RunOnce: [apiaw.exe] C:\WINDOWS\system32\apiaw.exe
O4 - HKLM\..\RunOnce: [mszg32.exe] C:\WINDOWS\system32\mszg32.exe
O4 - HKLM\..\RunOnce: [appbi.exe] C:\WINDOWS\appbi.exe
O4 - HKLM\..\RunOnce: [winqf.exe] C:\WINDOWS\winqf.exe
O4 - HKLM\..\RunOnce: [crdh32.exe] C:\WINDOWS\system32\crdh32.exe
O4 - HKLM\..\RunOnce: [apiae32.exe] C:\WINDOWS\system32\apiae32.exe
O4 - HKLM\..\RunOnce: [winng.exe] C:\WINDOWS\system32\winng.exe
O4 - HKLM\..\RunOnce: [d3dp32.exe] C:\WINDOWS\d3dp32.exe
O4 - HKLM\..\RunOnce: [netis32.exe] C:\WINDOWS\system32\netis32.exe
O4 - HKLM\..\RunOnce: [sysiu32.exe] C:\WINDOWS\sysiu32.exe
O4 - HKLM\..\RunOnce: [sdknw.exe] C:\WINDOWS\sdknw.exe
O4 - HKLM\..\RunOnce: [netqw.exe] C:\WINDOWS\netqw.exe
O4 - HKLM\..\RunOnce: [netoo.exe] C:\WINDOWS\system32\netoo.exe
O4 - HKLM\..\RunOnce: [addtr.exe] C:\WINDOWS\system32\addtr.exe
O4 - HKLM\..\RunOnce: [sysbl32.exe] C:\WINDOWS\system32\sysbl32.exe
O4 - HKLM\..\RunOnce: [sysqi.exe] C:\WINDOWS\sysqi.exe
O4 - HKLM\..\RunOnce: [sdkvk.exe] C:\WINDOWS\sdkvk.exe
O4 - HKLM\..\RunOnce: [ipls.exe] C:\WINDOWS\ipls.exe
O4 - HKLM\..\RunOnce: [ntgs.exe] C:\WINDOWS\ntgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: EzButton System.lnk = C:\Program Files\EzButton System V1.0\EzButton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_30.dll' missing
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O15 - Trusted Zone: *.ngb.army.mil
O15 - Trusted Zone: *.us.army.mil
O15 - Trusted Zone: webmail.us.army.mil
O15 - Trusted Zone: *.army.mil
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1503C25F-EB14-4633-91C1-6EB014FC7869} (ExcelExport.XLExport) - https://minuteman.ngb.army.mil/Components/ExcelExport.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093641947003
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - https://55.194.30.152/Components/iemenu.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\apiaw.exe" /s (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe


AboutBuster 5.0 reference file 30
Scan started on [7/9/2005] at [6:24:43 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\diug3002hd.dat:bwabj
Removed Stream! C:\WINDOWS\KB817778.log:kwmaj
Removed Stream! C:\WINDOWS\KB820291.log:avxgij
Removed Stream! C:\WINDOWS\KB833407.log:oymjbr
Removed Stream! C:\WINDOWS\ntdtcsetup.log:ftkhq
Removed Stream! C:\WINDOWS\PowerReg.dat:nhrfm
Removed Stream! C:\WINDOWS\Q322011.log:mxkrv
Removed Stream! C:\WINDOWS\Q329048.log:ghhep
Removed Stream! C:\WINDOWS\Q331953.log:fqnlo
Removed Stream! C:\WINDOWS\Q811493.log:crtra
Removed Stream! C:\WINDOWS\QTFont.for:ftohyy
Removed Stream! C:\WINDOWS\Rhododendron.bmp:ymhusj
Removed Stream! C:\WINDOWS\Run32A50.mch:xexrq
Removed Stream! C:\WINDOWS\sessmgr.setup.log:fbnhq
Removed Stream! C:\WINDOWS\svcpack.log:ymhusj
Removed Stream! C:\WINDOWS\updspapi.log:brvsd
Removed Stream! C:\WINDOWS\vbaddin.ini:rqlnb
Removed Stream! C:\WINDOWS\vminst.log:abziv
Removed Stream! C:\WINDOWS\wininit.ini:lukss
Removed Stream! C:\WINDOWS\winnt.bmp:hlmfu
Removed Stream! C:\WINDOWS\WMSysPr9.prx:awelf
Removed Stream! C:\WINDOWS\xylmo.txt:qpshha
Removed Stream! C:\WINDOWS\zbjce.dat:fitfb
Removed Stream! C:\WINDOWS\zdgku.log:nvwkid
Removed Stream! C:\WINDOWS\_default.pif:aupkp
------------------------------------------------
Removed File! : C:\Windows\pshha.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:25:18 PM


AboutBuster 5.0 reference file 30
Scan started on [7/9/2005] at [6:31:14 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:nrtvv
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:31:32 PM


AboutBuster 5.0 reference file 30
Scan started on [7/9/2005] at [6:45:16 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\bootstat.dat:yzmhja
Removed Stream! C:\WINDOWS\vminst.log:gmctr
Removed Stream! C:\WINDOWS\WindowsUpdate.log:rnnmn
Removed Stream! C:\WINDOWS\_default.pif:eings
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:45:52 PM


AboutBuster 5.0 reference file 30
Scan started on [7/9/2005] at [6:48:19 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:fjmuag
Removed Stream! C:\WINDOWS\_default.pif:pwodcz
Removed Stream! C:\WINDOWS\_default.pif:qbjpp
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:48:38 PM


AboutBuster 5.0 reference file 30
Scan started on [7/9/2005] at [6:48:45 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:xlextj
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:49:05 PM


AboutBuster 5.0 reference file 30
Scan started on [7/9/2005] at [6:49:14 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:xnvqod
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:49:34 PM


AboutBuster 5.0 reference file 30
Scan started on [7/9/2005] at [6:49:41 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:xozcfy
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:50:01 PM


AboutBuster 5.0 reference file 30
Scan started on [7/9/2005] at [6:50:08 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:yyaun
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:50:27 PM


AboutBuster 5.0 reference file 30
Scan started on [7/9/2005] at [6:50:35 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:50:55 PM


AboutBuster 5.0 reference file 30
Scan started on [7/9/2005] at [6:51:00 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 6:51:20 PM

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:47 AM

Posted 09 July 2005 - 06:21 PM

The first thing I need you to do is download the file from here:

ServiceFilter.zip - Get list of XP/2000/NT Services

Extract the zip file to your C: drive. Once it is extracted there will be a directory on your C: drive called ServiceFilter. Inside the C:\ServiceFilter directory will be a file called ServiceFilter.vbs. Simply double-click on the ServiceFilter.vbs. When the script finishes a wordpad document should open with the unknown services listed in it.

If the script could not access wordpad then you will see a message box telling you so. In that case you need to open POST_THIS.TXT by double-clicking it and pasting the contents as a reply to this topic. Please provide a brand new hijackthis log as well in this reply.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users