Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help With Hijackthis Log


  • This topic is locked This topic is locked
12 replies to this topic

#1 sendero

sendero

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 14 January 2006 - 11:14 AM

I run hijackthis and I got this log

my firefox keeps autodialing...
I already run spypot and adware without help
Please help
windows XPsp2

Logfile of HijackThis v1.99.1
Scan saved at 11:01:11 AM, on 1/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\PROGRA~1\Ontrack\Fix-It\MXTask.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Prevx Home\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Prevx Home\SAGUI.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Eset\nod32.exe
C:\Program Files\Eset\nod32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\Rar$EX32.109\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [PrevxHome] C:\Program Files\Prevx Home\SAGUI.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NOD32 FiX.lnk = C:\WINDOWS\system32\regedt32.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Fix-It Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\MXTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\Prevx Home\PXAgent.exe" -f (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv2.exe (file missing)

BC AdBot (Login to Remove)

 


#2 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 19 January 2006 - 01:23 PM

Hello & welcome to Bleepings.

It's been a while since you last posted the HJT log. If you still require assistance, please post a fresh HJT log.
I'm subscribed to this thread & will receive almost immediate notification once that comes in.

Before doing so, please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Thanks.
sUBs

#3 sendero

sendero
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 22 January 2006 - 08:39 AM

I did what you recommended me and...here is the file.
Although I am running and updated version of nod32, I am unable to remove these files...any idea?
thanks again!
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, January 22, 2006 08:30:43
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 21/01/2006
Kaspersky Anti-Virus database records: 172346
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 161210
Number of viruses found: 22
Number of infected objects: 48
Number of suspicious objects: 2
Duration of the scan process: 10369 sec

Infected Object Name - Virus Name
C:\ddm_d.exe Infected: not-a-virus:AdWare.Win32.DynaDesk
C:\Documents and Settings\adrian\Desktop\fgf140.exe/WISE0018.BIN/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor
C:\Documents and Settings\adrian\Desktop\fgf140.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.Cydoor
C:\Documents and Settings\adrian\Desktop\fgf140.exe Infected: not-a-virus:AdWare.Win32.Cydoor
C:\Documents and Settings\adrian\Desktop\GDiVX1.9.9.2.exe/data0010 Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\Documents and Settings\adrian\Desktop\GDiVX1.9.9.2.exe/data0011/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af
C:\Documents and Settings\adrian\Desktop\GDiVX1.9.9.2.exe/data0011/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl
C:\Documents and Settings\adrian\Desktop\GDiVX1.9.9.2.exe/data0011/data0001.cab/Weather/Weather.exe Infected: not-a-virus:AdWare.Win32.SaveNow.m
C:\Documents and Settings\adrian\Desktop\GDiVX1.9.9.2.exe/data0011/data0001.cab/Weather/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.m
C:\Documents and Settings\adrian\Desktop\GDiVX1.9.9.2.exe/data0011/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.m
C:\Documents and Settings\adrian\Desktop\GDiVX1.9.9.2.exe/data0011 Infected: not-a-virus:AdWare.Win32.SaveNow.m
C:\Documents and Settings\adrian\Desktop\GDiVX1.9.9.2.exe Infected: not-a-virus:AdWare.Win32.SaveNow.m
C:\Documents and Settings\adrian_2\Desktop\GordianKnot.CodecPack.1.1.exe/data0012 Infected: not-a-virus:AdWare.Win32.Gator.3202
C:\Documents and Settings\adrian_2\Desktop\GordianKnot.CodecPack.1.1.exe Infected: not-a-virus:AdWare.Win32.Gator.3202
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy3.zip/msexreg.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy3.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\Owner.HOME-93CBMGPG4L\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-3004db0a.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Owner.HOME-93CBMGPG4L\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-3004db0a.zip Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Owner.HOME-93CBMGPG4L\Local Settings\Temporary Internet Files\Content.IE5\YMRVQJMB\Winamp.Pro.v5.094.Plus.Final.HH.ZMB[1].zip/Setup/ha_winamp5094_Plus_zmb_ttdown.com.exe/stream/data0263 Infected: not-a-virus:AdWare.Win32.WSearch.c
C:\Documents and Settings\Owner.HOME-93CBMGPG4L\Local Settings\Temporary Internet Files\Content.IE5\YMRVQJMB\Winamp.Pro.v5.094.Plus.Final.HH.ZMB[1].zip/Setup/ha_winamp5094_Plus_zmb_ttdown.com.exe/stream Infected: not-a-virus:AdWare.Win32.WSearch.c
C:\Documents and Settings\Owner.HOME-93CBMGPG4L\Local Settings\Temporary Internet Files\Content.IE5\YMRVQJMB\Winamp.Pro.v5.094.Plus.Final.HH.ZMB[1].zip/Setup/ha_winamp5094_Plus_zmb_ttdown.com.exe Infected: not-a-virus:AdWare.Win32.WSearch.c
C:\Documents and Settings\Owner.HOME-93CBMGPG4L\Local Settings\Temporary Internet Files\Content.IE5\YMRVQJMB\Winamp.Pro.v5.094.Plus.Final.HH.ZMB[1].zip Infected: not-a-virus:AdWare.Win32.WSearch.c
C:\Program Files\ESET\infected\4ZNMTAAA.NQF/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bx
C:\Program Files\ESET\infected\4ZNMTAAA.NQF/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.EZula.bc
C:\Program Files\ESET\infected\4ZNMTAAA.NQF/WISE0025.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050
C:\Program Files\ESET\infected\4ZNMTAAA.NQF Infected: not-a-virus:AdWare.Win32.Gator.1050
C:\Program Files\ESET\infected\FKBU12CA.NQF/WISE0059.BIN Infected: not-a-virus:AdWare.Win32.GigatechSuperBar
C:\Program Files\ESET\infected\FKBU12CA.NQF Infected: not-a-virus:AdWare.Win32.GigatechSuperBar
C:\Program Files\ESET\infected\HEYM1HBA.NQF/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.Aureate
C:\Program Files\ESET\infected\HEYM1HBA.NQF/WISE0025.BIN Infected: not-a-virus:AdWare.Win32.Aureate
C:\Program Files\ESET\infected\HEYM1HBA.NQF/WISE0026.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a
C:\Program Files\ESET\infected\HEYM1HBA.NQF/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a
C:\Program Files\ESET\infected\HEYM1HBA.NQF/WISE0028.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a
C:\Program Files\ESET\infected\HEYM1HBA.NQF/WISE0111.BIN Infected: not-a-virus:AdWare.Win32.Gator.1012
C:\Program Files\ESET\infected\HEYM1HBA.NQF Infected: not-a-virus:AdWare.Win32.Gator.1012
C:\Program Files\LimeWire\2.8.6\limeshop.exe/data0115 Infected: not-a-virus:AdWare.Win32.TopMoxie.e
C:\Program Files\LimeWire\2.8.6\limeshop.exe Infected: not-a-virus:AdWare.Win32.TopMoxie.e
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603
C:\Program Files\wsearch\mupdate.exe.tmp/mupdate.exe Infected: not-a-virus:AdWare.Win32.WSearch.d
C:\Program Files\wsearch\mupdate.exe.tmp Infected: not-a-virus:AdWare.Win32.WSearch.d
C:\software\EasyDivX_0820_standard.exe/ic6C.cab/DivX502Bundle.exe Infected: not-a-virus:AdWare.Win32.Gator.3202
C:\software\EasyDivX_0820_standard.exe/ic6C.cab Infected: not-a-virus:AdWare.Win32.Gator.3202
C:\software\EasyDivX_0820_standard.exe Infected: not-a-virus:AdWare.Win32.Gator.3202
C:\software\GordianKnot.CodecPack.1.2.exe/data0009 Infected: not-a-virus:AdWare.Win32.Gator.3202
C:\software\GordianKnot.CodecPack.1.2.exe Infected: not-a-virus:AdWare.Win32.Gator.3202
D:\Disk.Checker.3.0.BETA.1.us_CRKEXE-FFF.exe/run.exe Infected: Trojan-Downloader.Win32.IstBar.is
D:\Disk.Checker.3.0.BETA.1.us_CRKEXE-FFF.exe Infected: Trojan-Downloader.Win32.IstBar.is
D:\xp100r2.exe/WISE0073.BIN/WISE0007.BIN Infected: not-a-virus:AdWare.Win32.BMCentral.a
D:\xp100r2.exe/WISE0073.BIN Infected: not-a-virus:AdWare.Win32.BMCentral.a
D:\xp100r2.exe Infected: not-a-virus:AdWare.Win32.BMCentral.a

Scan process completed.

#4 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 22 January 2006 - 09:09 AM

Start HJT & goto Config > Misc Tools - Open Uninstall Manager

Click the Save List button & post the the resultant log here.

Please highlight any entries that looks suspicious to you


Also post a fresh HJT log & let me know if you're experiencing any malware activity like browser redirection/hijack or pop ups.

#5 sendero

sendero
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 22 January 2006 - 05:25 PM

what I did is several things.
I d/l kaspersky and I cleaned the system: apparently I had only 2 virus that were desinfected. I rerun hjt, I am copying the list and I also follow your advise:

1) #1 Video Converter 3.4.1
42 Always Connected (AC) Plug
602Pro PRINT PACK 2002
ABC Amber PDF Converter
AC3Filter (remove only)
Active Ports
Ad-Aware SE Professional
Adobe Acrobat 6.0 - Tryout
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop 7.0
Advanced Zip Repairer v1.52
All Media Fixer 3.4
All Video Converter 1.0
AntiCrash 3.6.1
AnyDVD
ASF-AVI-RM-WMV Repair 1.82
Ashampoo UnInstaller Suite
ASTONSOFT Winsock restore
Audacity 1.0.0
Auralia
Auto Gordian Knot 1.87 beta
AVI to VCD SVCD DVD Converter 1.4.35
AviSynth 2.5
AVS VideoConverter 2.7.1.114
Axence NetTools 1.0
Belarc Advisor 7.0
Belkin Wireless Mouse Driver 3.82
Biblioteca de Consulta Microsoft Encarta 2004
Bsi Load Maker (remove only)
BSPlayer
Burn4Free 1.0
burnatonce
Cablenut 4.08
Camtasia Studio 2
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon ScanGear Toolbox 3.1
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
CarryDVD
CD Data Rescue 2.3
CD/DVD Diagnostic
CDBank (remove only)
CD-R Diagnostic
CDRoller version 5.33
CleanMyPC - Registry Cleaner
Clipboard Recorder 2.1.3
CloneCD
CloneDVD2
Compel Adaptec WinASPI
Compresor WinRAR
Cool Mp3 Converter V1.7
Cool MP3 Splitter 1.21
Corel Paint Shop Pro X
CrackersKit 1.1
DAEMON Tools
Dapyx MP3 Explorer v2.07beta2
Debugging Tools for Windows
DeliPlayer 2.00
Dell ResourceCD
Dell Support 5.0.0 (630)
Device Control
DioneSS AudioLogic v3.0
DioneSS Playlist Editor v2.1
Direct Connect 1.0 Preview Build 9
Direct Show Ogg Vorbis Filter (remove only)
DiskeeperWorkstation
DivX
DivX 5.0.5 Pro Video Codec
DivX Player
divXMovieTool (remove only)
Duplicate files manager V4.2.2
DVC80
DVD Data Rescue 1.1
DVD Decrypter (Remove Only)
DVD Identifier
DVD Shrink 3.2
DVD X Copy Platinum 4.0.3
DVD X Rescue
DVD2SVCD 1.2.1 Build 1
EarMaster Pro 4
EarMaster Pro 5
Easy CD-DA Extractor 7.0
EasyRecovery Professional
El pequeño Fritz
EphPod
EXPStudio Audio Editor 3.5.1
ffdshow (remove only)
FileMaker Pro 6
FLAC Installer 1.1.1a (remove only)
GetData 2.21
GetDataBack for FAT
Google Toolbar for Internet Explorer
Gordian Knot Rip Pack 0.28.7
GSpot Codec Information Appliance
Happy Note! clé de Sol et Fa
Happy Note! Note Cracker
Happy Note! Play It By Ear
Happy Note! Treble and Bass Clef
Happy Note! Treble Clef and Bass Clef
Hare 1.5.1
HDDlife
HDDlife
Helium v1.8 (build 4008)
HijackThis 1.99.1
Hitman Pro
hp deskjet 3500
HP Image Zone Express
hp print screen utility
HP Software Update
ImageStation Easy Upload Tools
Index.DAT File Viewer
Intel® Extreme Graphics Driver
InterFax Deluxe
InterVideo DVDCopy 3
InterVideo WinDVD Creator 2
iPod for Windows 2005-10-12
iPod Updater 2004-11-15
IrfanView (remove only)
ISI ResearchSoft - Export Helper
IsoBuster 1.7
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
JMP 5.1
Karen's Directory Printer
Kaspersky Anti-Virus Personal Pro
Kaspersky On-line Scanner
L&H TTS3000 Español
L&H TTS3000 Français
Lexmark Supplies Monitor
Lexmark Z55
Linksys Wireless-G USB Network Adapter
Lizardtech DjVu Control
Lucent Win Modem
Maxtor OneTouch
Media Jukebox 8.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft AntiSpyware
Microsoft Data Access Components KB870669
Microsoft Office XP Professional
Midisport 1x1 1.0.1.0
MovieStar 5
Mozilla Firefox (1.0.7)
MP3 Sound Cutter 1.40
MP3 Splitter & Joiner
MP3PowerEncoder
Nero 6 Ultra Edition
NOD32 antivirus system
NOD32 FiX v1.0
OneTouch Version 3.0
overland
Palm Desktop
Papayatech TuneSpark 1.2
Passware Kit - 5.0.0
Passware Kit 6.1
Passware Kit 6.1 Demo
Passware Kit Enterprise 7.3
PC Booster
PC Magazine Printer Dashboard
Pinnacle Hollywood FX for Studio
PIXELA ImageMixer
PowerDesk 6
PowerDVD
Prevx Home
RealPlayer
Recover My Files v2.27
Registry Checkup
Registry Mechanic
Restorer2000 Professional
Retrospect 6.0
Scan Manager 5.2
ScanSoft PDF Converter
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
Shockwave
SiSoftware Sandra Standard MAX3! (OCTools: `One tool to rule th
SmartSound Quicktracks Plugin
SnagIt 6
Soulseek Client 154 test 1
SoulSeek Client 155
SoundMAX
Spy Sweeper
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
StartEd 4.1
StartupMonitor
Studio 9
SubRip 1.17.1 (remove only)
TagScanner 4.8 build 481 beta
Teach Me Piano Deluxe
Tenebril Uninstaller 1.20
Total Recorder 5.0
TreeSize 1.75
TuneUp Utilities 2004
TuneUp Utilities 2006
Tweak UI
Tweakui Powertoy for Windows XP
Ulead Data-Add 2.0
Ulead DVD MovieFactory 4.0 Disc Creator
Ulead DVD Player 2.0
Uno
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
USB Midisport Uno 1.0.1.0
USB Storage Adapter FX (MXO)
Video Fixer 3.23
VobSub v2.23 (Remove Only)
Web Dumper 2.2.1
WebCyberCoach 3.2 Dell
Winamp (remove only)
WinAVI Video Converter 5.8
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinISO 5.3
WinMPG Video Convert 5.4
XviD MPEG-4 Video Codec
Your Uninstaller! 2003 Version 3

2)
Logfile of HijackThis v1.99.1
Scan saved at 5:19:33 PM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\PROGRA~1\Ontrack\Fix-It\MXTask.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\BinarySense\HDDlife\HDDlifePro.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\M-Audio Uno\UnoInst.exe
C:\Program Files\Practica Musica Folder\Practica Musica.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Standard\Sandra.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\winhlp32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\Rar$EX00.313\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - Startup: HDDlife.lnk = C:\Program Files\BinarySense\HDDlife\HDDlifePro.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NOD32 FiX.lnk = C:\WINDOWS\system32\regedt32.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137267464187
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Fix-It Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\MXTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\Prevx Home\PXAgent.exe" -f (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: M-Audio Uno Installer (UnoInstallerService) - Unknown owner - C:\Program Files\M-Audio Uno\UnoInst.exe
O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv2.exe (file missing)


Any ideas? I did not see anything very suspicious...
thanks

#6 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 22 January 2006 - 10:13 PM

Something that requires your immediate intervention. I notice that you have more than one anti-virus programs on your machine (Kaspersky & NOD32). That's not a good idea!! Posted Image

This messes up the machine pretty badly. Alike firewalls, anti-virus programs have conflicts co-existing with each other & may produce undesirable results. Please uninstall ALL leaving only one of them.

ALL the antivirus programs must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:

re-install the program -> reboot -> uninstall

* * * * * *


Before we do anything else, please ensure that you have already patch your system against the recent WMF exploit. Please refer to my sig. No point we fix anything only for it to return tomorrow.

After you have completed the above, save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

Host.zip - From within Host.zip, double click on MVPS.bat & allow it to run.

Right click on this & select 'Save As' - DNSManual.bat
Doubleclick on DNSManual.bat & allow it to run.

SpywareBlaster 3.5.1
Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.

* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\ddm_d.exe
    C:\Documents and Settings\adrian\Desktop\fgf140.exe
    C:\Documents and Settings\adrian\Desktop\GDiVX1.9.9.2.exe
    C:\Documents and Settings\adrian_2\Desktop\GordianKnot.CodecPack.1.1.exe
    C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\
    C:\Documents and Settings\Owner.HOME-93CBMGPG4L\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-3004db0a.zip
    C:\Program Files\LimeWire\2.8.6\limeshop.exe
    C:\Program Files\wsearch\
    C:\software\EasyDivX_0820_standard.exe
    C:\software\GordianKnot.CodecPack.1.2.exe
    D:\Disk.Checker.3.0.BETA.1.us_CRKEXE-FFF.exe
    D:\xp100r2.exe
Delete the contents of this folder, leaving it empty:
  • C:\Program Files\ESET\infected\
* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program.

Reboot to Normal Mode & post a fresh HJT log

Edited by sUBs, 22 January 2006 - 10:14 PM.


#7 sendero

sendero
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 25 January 2006 - 06:48 PM

subs,
here it is.
there were few problems: when I tried to install dnsmanual.bat, it gave me an error...and it damage my connection to internet.
Also, I was unable to find d:\disk.checker....
however, it looks like the system is better....
what do you think?
thanks again

Logfile of HijackThis v1.99.1
Scan saved at 6:44:05 PM, on 1/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\PROGRA~1\Ontrack\Fix-It\MXTask.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\M-Audio Uno\UnoInst.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BinarySense\HDDlife\HDDlifePro.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\Rar$EX00.000\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [LexPPS.exe] C:\WINDOWS\system32\lexpps.exe
O4 - Startup: HDDlife.lnk = C:\Program Files\BinarySense\HDDlife\HDDlifePro.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NOD32 FiX.lnk = C:\WINDOWS\system32\regedt32.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137267464187
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Fix-It Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\MXTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\Prevx Home\PXAgent.exe" -f (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: M-Audio Uno Installer (UnoInstallerService) - Unknown owner - C:\Program Files\M-Audio Uno\UnoInst.exe
O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv2.exe (file missing)

#8 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 25 January 2006 - 10:05 PM

Your log is clean. Do you have any more problems with your computer? If not, you should be set to go. Kindly follow these simple steps in order to keep your computer clean and secure:
  • CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  • DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  • SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  • FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  • Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  • SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  • AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day. Posted Image

Please respond to this thread one more time so we can mark this thread as resolved.

#9 sendero

sendero
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 29 January 2006 - 01:13 PM

thanks again for your help...I will follow your advice!
in the next day or 2 I will send my hjt for my other computer at home...
one question: when I run the kaspersky online, several viruses were detected...however, when I installed the kaspersky, only 1 was found??

thanks

#10 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 03 February 2006 - 04:28 AM

one question: when I run the kaspersky online, several viruses were detected...however, when I installed the kaspersky, only 1 was found??

Hi,

Sorry for the delay. I have been on holiday.

With regards to the above question, please refer to post #6. I asked you to delete some files. Were you able to locate those files?

#11 sendero

sendero
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 03 February 2006 - 08:49 AM

As I mentioned before, I was unable to find/delete this file
d:\disk.checker......

do you feel I still have some spyware in the system?

Another question: I have another computer with problems. Can I post it to you or should I post it in the general forum?
thanks

#12 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 03 February 2006 - 09:27 AM

It's best to post the other computer's log into a new thread. This avoids creating any complications.

D:\Disk.Checker.3.0.BETA.1.us_CRKEXE-FFF.exe appears to be a file you have downloaded yourself. I wouldnt worry too much about it but it never hurts to have Kaspersky direct an online scan on the Drive D. Please do a Kaspersky scan & let me know how it turns out.

#13 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 15 February 2006 - 02:50 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users