Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log - Please Help Diagnose!


  • This topic is locked This topic is locked
11 replies to this topic

#1 struwwelpeter

struwwelpeter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 12 July 2005 - 12:40 PM

Hi All -

Here is my HijackThis Log. I've been hijacked by oxide.com, using Firefox. Please Help!

Thanks,
Peter

Logfile of HijackThis v1.99.1
Scan saved at 10:40:01 AM, on 7/12/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.euroseek.net/page?ifl=uk&page=msie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {DA4EB021-5F1C-11D4-B006-00104B98E2C7} (McAfee Clinic Installer Control) - http://download.mcafee.com/molbin/shared/MInstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050...all/xscan53.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.office.microsoft.com/ProductUpd...ontent/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/252ac35d6dc10bc31005/netzip/RdxIE6.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://207.248.137.225/media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw11fd.law11.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\bma applications\Autocad 2002\AcPreview.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\bma applications\Autocad 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\bma applications\Autocad 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\bma applications\Autocad 2002\InstFred.ocx
O16 - DPF: {2FE68711-8830-417D-95E0-EAB307DB0447} (mpsPwLc7.PMWebSiteLogin) - http://pm.okland.com/pw/mpsPwLc7.CAB
O16 - DPF: {1917D5C6-356D-467D-88FA-14E56FF81601} (FileMgt.FileMgtCtrl) - http://pm.okland.com/pw/FileMgt.CAB


O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = lkm.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 209.244.0.3,209.244.0.4
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\OCERD\PMPROTOCOL.DLL

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:24 PM

Posted 14 July 2005 - 10:21 AM

Hello struwwelpeter and welcome to the BC malware forum. It appears that this log is missing some of the information. We need a complete HijackThis (HJT) log file to be able to analyze what is happening on your computer.

Boot normally, start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.

POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.

I will review your log when it comes in.


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL I CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 struwwelpeter

struwwelpeter
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 15 July 2005 - 10:27 AM

Hi OT -

Thanks in advance for taking a look at this. I checked the "include list of running processes in logfiles" button in config, which i think BC's instructions had said to uncheck. is this all that you need?

i'm most suspicious about a line at the end - MSTCP: domain = lkm.com. any help would be most appreciated. i've tried running both spybot and ad-aware, and use an AVG virus scanner, but nothing's been able to catch this hijacker.

cheers,
struwwelpeter

Logfile of HijackThis v1.99.1
Scan saved at 8:26:20 AM, on 7/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MS HARDWARE\POINT32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\HPJETDSC.EXE
C:\TOOLS_95\IOWATCH.EXE
C:\TOOLS_95\IMGICON.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WSASRV.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\PROGRAM FILES\SECURECRT\SECURECRT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.euroseek.net/page?ifl=uk&page=msie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {DA4EB021-5F1C-11D4-B006-00104B98E2C7} (McAfee Clinic Installer Control) - http://download.mcafee.com/molbin/shared/MInstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050...all/xscan53.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.office.microsoft.com/ProductUpd...ontent/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/252ac35d6dc10bc31005/netzip/RdxIE6.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://207.248.137.225/media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw11fd.law11.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\bma applications\Autocad 2002\AcPreview.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\bma applications\Autocad 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\bma applications\Autocad 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\bma applications\Autocad 2002\InstFred.ocx
O16 - DPF: {2FE68711-8830-417D-95E0-EAB307DB0447} (mpsPwLc7.PMWebSiteLogin) - http://pm.okland.com/pw/mpsPwLc7.CAB
O16 - DPF: {1917D5C6-356D-467D-88FA-14E56FF81601} (FileMgt.FileMgtCtrl) - http://pm.okland.com/pw/FileMgt.CAB
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = lkm.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 209.244.0.3,209.244.0.4
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\OCERD\PMPROTOCOL.DLL

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:24 PM

Posted 17 July 2005 - 11:38 AM

Hi struwwelpeter. The log looks pretty good. I don't see anything at the moment that gives me concern.

I am kind of curious aobut this file: C:\WINDOWS\SYSTEM\WSASRV.EXE. Let's have it checked out once.

We need to make sure all hidden files are showing so please:
  • Open My Computer.
  • Select the View menu and click Folder Options.
  • Select the View tab.
  • In the Hidden files section select Show all files.
  • Click OK.
Go to the Jotti's malware scan page and use the buttons at the top of the page to browse to this file(s) on your hard drive to submit for a scan:C:\WINDOWS\SYSTEM\WSASRV.EXE
Several scanning engines will be used to check the file for any threats. Please post the results of the scans back here.

Also, let's run a different scan for items which might not show up in the HijackThis log.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) and the information from the Jotti file scan back here so I can review it.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 struwwelpeter

struwwelpeter
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 18 July 2005 - 09:58 AM

Hi OT -

Here's the Jotti log, which found nothing. WinPFind is farther below.

Service load: 0% 100%

File: WSASRV.EXE
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 1e3dfcc25e9a0cc28f3158556e618692
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing



What follows is WinPFind.txt. Out of curiosity, did you write this program yourself?

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

Files found

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! c:\windows\Tsc.exe
UPX! c:\windows\vsapi32.dll
aspack c:\windows\vsapi32.dll
UPX! c:\windows\RMAgentOutput.dll

Checking %System% folder...
PTech c:\windows\system\MDACRDME.HTM

Checking %System%\Drivers folder and sub-folders...
UPX! c:\windows\system32\drivers\AVG7CORE.SYS
FSG! c:\windows\system32\drivers\AVG7CORE.SYS
aspack c:\windows\system32\drivers\AVG7CORE.SYS

Checking the Windows folder for system and hidden files within the last 60 days...
7/18/05 c:\windows\USER.DAT
7/18/05 c:\windows\SYSTEM.DAT
6/20/05 c:\windows\ttfCache
7/15/05 c:\windows\ShellIconCache
7/6/05 c:\windows\Application Data\Microsoft\Internet Explorer\Desktop.htt
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\P7RLBDNW\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\ZMRLDPBF\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\SZYF656D\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\I3SF1IVY\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\XSNUBBPF\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\JXYZE9TG\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\LIB91ACE\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\IDB8TG72\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\0XMBSTIF\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\CQWJKCRW\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\B7HFBT8W\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\ITQH4LGB\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\23EN65Q3\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\KDUJ4HYB\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\B3HFRP08\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\I9SFIHM9\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\8HAV4LEJ\desktop.ini
6/24/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\KP2V4P6R\desktop.ini
6/29/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\0XCPEF8L\desktop.ini
6/29/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\BMGNJTWT\desktop.ini
6/29/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\O56VSPQF\desktop.ini
6/29/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\IZY72PUB\desktop.ini
6/29/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\WDKRCJOZ\desktop.ini
6/29/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\29JG1WJM\desktop.ini
6/29/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\BV9FNLOW\desktop.ini
6/29/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\AW99JRBN\desktop.ini
6/29/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\EZARYP63\desktop.ini
6/29/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\XK4FL9CD\desktop.ini
6/29/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\8HYBO5QF\desktop.ini
6/29/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\OVF7MWHP\desktop.ini
6/29/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\7BL7ZXCW\desktop.ini
6/29/05 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\81GLUVKL\desktop.ini
7/15/05 c:\windows\Tasks\SA.DAT

Checking Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
C:\WINDOWS\Start Menu\Programs\StartUp\Acrobat Assistant.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Adobe Gamma Loader.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Iomega Startup Options.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Iomega Watch.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Zip Disk Icons.lnk

Checking files in %USERPROFILE%\Application Data folder...
C:\WINDOWS\Application Data\dw.log

Registry Entries Found

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\PROGRAM FILES\WINRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SharingMenu
{6D78EC20-5AA6-101B-8681-366FBD64CEB9} = msshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\MiramarNPMenu
{EA075FE0-9229-11CF-AEEE-00AA00A06FE4} = atnp32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\PROGRAM FILES\WINRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ScanRegistry c:\windows\scanregw.exe /autorun
TaskMonitor c:\windows\taskmon.exe
SystemTray SysTray.Exe
TCASUTIEXE TCAUDIAG.EXE -off
POINTER C:\PROGRA~1\MSHARD~1\point32.exe
VsEcomrEXE C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
AVG7_CC C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
AVG7_EMC C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
AVG7_AMSVR C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
MSFS
MAPI
IMAIL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HP JetDiscovery HPJETDSC.EXE

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HideSharePwds 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
Scan Complete
WinPFind v1.0.0.14 - Log file written to "WinPFind.Txt" in the WinPFind folder.


Thanks again for everything.

Cheers,
SP

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:24 PM

Posted 18 July 2005 - 12:00 PM

Hi struwwelpeter. Yes, I did write that program :thumbsup: . The WinPFind scan did not show anything bad either. I believe that the problem might lie in the 017 entries. Is this a home computer or work computer? If it is a home computer then are you on a domain named lkm.com? If not, then I think we have the culprit. Lkm.com is a domain for the oxide search engine. Also, the other 017 entry is for the DNS servers and they point to servers at LVLT (Level Communications). Is that your ISP? If not, then we might want to remove those as well.

Let me know about the above and then we will go from there.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 struwwelpeter

struwwelpeter
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 18 July 2005 - 12:33 PM

Hi OT -

Great program. This is a work computer, and I think that lkm.com line is the problem - thought that for a while. As for our ISP, my computer guy here says that we use "XO communications", but that they are probably purchasing space from someone else, which might be LVLT. Should we try removing lkm.com first, and if that alone doesn't do it, removing the LVLT reference as well?

Cheers,
SP

#8 struwwelpeter

struwwelpeter
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 18 July 2005 - 12:36 PM

Hi again OT -

Update: I think the LVLT reference is fine, as XO purchased fiber networks from them, as reported on their website:

http://www.xo.com/news/67.html

Thanks again for all your help.

Cheers,
SP

#9 struwwelpeter

struwwelpeter
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 18 July 2005 - 01:21 PM

hi OT -

one more question, out of curiosity: how can you tell that lkm.com is a domain for the oxide.com search engine? is there a way of tracing that?

cheers,
SP

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:24 PM

Posted 18 July 2005 - 01:21 PM

Hi struwwelpeter. That makes sense for the LTLV entries then. Alot of companies do simply purchase transmission across someone else's equipment.

So let's remove the lkm.com entry.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = lkm.com
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

OK. Reboot your computer normally and run it a bit to see if you still have any problems. If so, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you are still having and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 struwwelpeter

struwwelpeter
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 18 July 2005 - 01:34 PM

Hi OT -

Looks like everything's fixed; I ran HJT again just to check, and that line has been removed. No problems in about 10 minutes of browsing, when usually it would take less than a minute for oxide.com to pop up.

I'm still curious how you verified lkm.com as a domain belonging to oxide.com; is there a way you can trace that? I tried researching on google but couldn't find any straightforward way of connecting the two, even though I presumed they were in cahoots.

Thanks again for everything - you've made my browsing life much less frustrating.

Cheers,
SP

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:24 PM

Posted 18 July 2005 - 01:49 PM

You're very welcome struwwelpeter. I'm glad that we could help.

I couldn't find anything definitive on the web linking the 2 either so I just went to lkm.com. Guess where I got redirected to? Yup, oxide.com! That tells me they are in cahoots.

Now that your malware issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users