Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log: Please Help Diagnose


  • This topic is locked This topic is locked
7 replies to this topic

#1 Alucard the Dragon Child

Alucard the Dragon Child

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 29 December 2005 - 09:52 AM

Hi, PLease help my laptop is filled with spywhare and other stuff i have run both ad-aware and spybot and reboted befor posting this log and the damn spyaxe is still getting on my nerves as well as most likly a mountain of other spyware....

Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:24:02 PM, on 29/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wm.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\nvctrl.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aapt.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.1.1:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ascnet;*.allsaints.wa.edu.au;172.16.*;<local>
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\System32\hpCFED.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Microsoft Tray] D:\My Shared Folder\Games (1).exe
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\PROGRA~1\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: [LIPlDD] C:\WINDOWS\nuxcet.exe
O4 - HKLM\..\Run: [K04W
}z[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nuxcet.exe
O4 - HKLM\..\Run: [K0@]"iC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nuxcet.exe
O4 - HKLM\..\Run: [K04W
}zigC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nuxcet.exe
O4 - HKLM\..\Run: [K0]"igC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nuxcet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [\\Adults\EPSON Stylus CX3500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P35 "\\Adults\EPSON Stylus CX3500 Series" /O6 "USB001" /M "Stylus CX3500"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX3500 Series on HOSKINGBOYS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P46 "Auto EPSON Stylus CX3500 Series on HOSKINGBOYS" /O22 "\\HOSKINGBOYS\EPSONSty" /M "Stylus CX3500"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Client Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.aapt.com.au
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/int_ver32n.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119702837882
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130231823254
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: SysTray.Exgr - {5368D1FC-4F5C-4f1b-B134-E67214FC78E9} - C:\WINDOWS\System32\lbhdhfoo.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

Edited by Alucard the Dragon Child, 29 December 2005 - 09:54 AM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:57 PM

Posted 04 January 2006 - 05:43 PM

Hi,

The forums are really busy, that explains why logs get behind. We start with the oldest logs first. If you still need some help, please start with posting a new hijackthislog in this thread. Don't start with a new thread.
Then I'll take a look. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:57 PM

Posted 10 January 2006 - 10:52 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:57 PM

Posted 17 January 2006 - 07:03 AM

Reopened.

Please post a new hijackthislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Alucard the Dragon Child

Alucard the Dragon Child
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:57 AM

Posted 17 January 2006 - 10:55 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:49:35 AM, on 18/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wm.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\nvctrl.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Wireless\Client Manager\CMAGS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aapt.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.1.1:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ascnet;*.allsaints.wa.edu.au;172.16.*;<local>
O2 - BHO: Restorator - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\System32\hp7AF4.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Microsoft Tray] D:\My Shared Folder\Games (1).exe
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\PROGRA~1\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: [LIPlDD] C:\WINDOWS\nuxcet.exe
O4 - HKLM\..\Run: [K04W
}z[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nuxcet.exe
O4 - HKLM\..\Run: [K0@]"iC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nuxcet.exe
O4 - HKLM\..\Run: [K04W
}zigC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nuxcet.exe
O4 - HKLM\..\Run: [K0]"igC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nuxcet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [\\Adults\EPSON Stylus CX3500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P35 "\\Adults\EPSON Stylus CX3500 Series" /O6 "USB001" /M "Stylus CX3500"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX3500 Series on HOSKINGBOYS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P46 "Auto EPSON Stylus CX3500 Series on HOSKINGBOYS" /O22 "\\HOSKINGBOYS\EPSONSty" /M "Stylus CX3500"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless Client Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.aapt.com.au
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/int_ver32n.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119702837882
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130231823254
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: SysTray.Exgr - {5368D1FC-4F5C-4f1b-B134-E67214FC78E9} - C:\WINDOWS\System32\lbhdhfoo.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

I doubt much has changed...

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:57 PM

Posted 18 January 2006 - 12:32 AM

Hello,

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

* Please download ewido security suite; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Please download ATF Cleaner by Atribune.
Do not run it yet.

* Reboot into Safe Mode`: ( without networking support !)
To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: Restorator - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\System32\hp7AF4.tmp
O4 - HKLM\..\Run: [Microsoft Tray] D:\My Shared Folder\Games (1).exe
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\PROGRA~1\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: [LIPlDD] C:\WINDOWS\nuxcet.exe
O4 - HKLM\..\Run: [K04W }z[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nuxcet.exe
O4 - HKLM\..\Run: [K0@]"iC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nuxcet.exe
O4 - HKLM\..\Run: [K04W }zigC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nuxcet.exe
O4 - HKLM\..\Run: [K0]"igC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nuxcet.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/dialer/int_ver32n.CAB
O21 - SSODL: SysTray.Exgr - {5368D1FC-4F5C-4f1b-B134-E67214FC78E9} - C:\WINDOWS\System32\lbhdhfoo.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\System32\lbhdhfoo.dll
C:\WINDOWS\nuxcet.exe
C:\Program Files\ISTsvc <== folder

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

* Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

* Reboot back into Windows.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply along with a new HijackThis Log, the contents of smitfiles.txt which is present on your Homedrive (C:\ in most cases)
and the Ewido Log by using Add Reply.

Edited by miekiemoes, 18 January 2006 - 12:33 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:57 PM

Posted 24 January 2006 - 03:05 PM

Hi, I already closed this thread before because there was no feedback anymore, assuming the problem was fixed.
now we're one week later again and I still didn't receive any feedback with the logs I asked, so I assume again this issue is solved.
I'll leave this thread open for another 2 days and then I am going to close it if I don't receive feedback on this.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:57 PM

Posted 26 January 2006 - 11:42 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users