Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

If Anyone Can Help Me Analyze My Logs That Would Help Alot


  • Please log in to reply
22 replies to this topic

#1 soccrmn7

soccrmn7

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 27 January 2006 - 10:26 PM

ive looked through and deleted a couple things that looked suspicious...if anyone could review my logs and alert me of any other problem files that would be very helpful...thanks alot

Logfile of HijackThis v1.99.1
Scan saved at 7:00:23 PM, on 1/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cran\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AOL Instant Messanger] aim.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [AOL Instant Messanger] aim.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LimeWire 4.0.5 Pro.lnk = C:\Program Files\LimeWire\LimeWire 4.0.5 Pro\LimeWire.exe
O4 - Global Startup: ME101 Configuration Utility.lnk = C:\Program Files\NETGEAR\ME101 Configuration Utility\wlancfg.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD17C57A-8871-4169-AB87-C394338A94E6}: NameServer = 85.255.113.141,85.255.112.109
O17 - HKLM\System\CS1\Services\Tcpip\..\{AD17C57A-8871-4169-AB87-C394338A94E6}: NameServer = 85.255.113.141,85.255.112.109
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

BC AdBot (Login to Remove)

 


#2 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:09:17 PM

Posted 27 January 2006 - 11:37 PM

Hi and welcome to BleepingComputer Posted Image

I'm Jet Ian Posted Image, and I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.
Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#3 soccrmn7

soccrmn7
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 28 January 2006 - 12:32 AM

thank you very much for taking the time to help me... take you time as i believe i cleared up the most serious problems seeing as my computer is running much smoother and am now trying to get rid of the little nagging bugs... once again thanks for you help

Edited by soccrmn7, 28 January 2006 - 12:33 AM.


#4 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:09:17 PM

Posted 28 January 2006 - 08:30 AM

Thanks for being patient Posted Image

You have disabled some startups with msconfig, this can be bad because there are times that these startups can be malware, and if they're disabled, we can't see them, so please follow these steps:
  • Click Start Run ( type: msconfig ) OK.
  • Click the Startup tab.
  • Then click the Enable All button.
  • Click Apply, then OK. ( DO NOT restart your computer if it asks you to. )
After doing that, please post us a new HijackThis log.


Good Luck,
Jet Ian

Edited by Jag11, 28 January 2006 - 09:02 AM.

Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#5 soccrmn7

soccrmn7
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 28 January 2006 - 01:57 PM

here is an updated log


Logfile of HijackThis v1.99.1
Scan saved at 10:55:20 AM, on 1/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec AntiVirus\VPC32.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cran\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AOL Instant Messanger] aim.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\nether.exe
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [FLKPT] media64.exe
O4 - HKLM\..\Run: [driver64] lpt.exe
O4 - HKLM\..\Run: [dmuxc.exe] C:\WINDOWS\system32\dmuxc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [alij] C:\WINDOWS\system32\run940.exe dummy
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\RunServices: [AOL Instant Messanger] aim.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LimeWire 4.0.5 Pro.lnk = C:\Program Files\LimeWire\LimeWire 4.0.5 Pro\LimeWire.exe
O4 - Global Startup: ME101 Configuration Utility.lnk = C:\Program Files\NETGEAR\ME101 Configuration Utility\wlancfg.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD17C57A-8871-4169-AB87-C394338A94E6}: NameServer = 85.255.113.141,85.255.112.109
O17 - HKLM\System\CS1\Services\Tcpip\..\{AD17C57A-8871-4169-AB87-C394338A94E6}: NameServer = 85.255.113.141,85.255.112.109
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#6 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:09:17 PM

Posted 29 January 2006 - 01:53 AM

Welcome back soccrmn7 Posted Image

Before we start, just want to ask if you have a firewall, if you have NO firewall, please download and install this one:On to the fix...

==========================================================

Please follow the instructions provided, you may want to print out these instructions and use them as a reference. If you have any questions regarding the fix, please ask us before proceeding.

==========================================================

Please download smitRem.exe
  • Save it to your desktop.
  • Extract the file to its own folder.
==========================================================

Show Hidden Files and Folders
  • Click Start.
  • Open My Computer.
  • Click the Tools menu.
  • Click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
==========================================================

Boot into Safe Mode
  • Restart your computer.
  • As soon as it starts to boot, tap F8 repeatedly.
  • Select Safe Mode from the menu and then hit Enter.
  • If that doesn't work, click here.
==========================================================

Run smitRem

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

==========================================================

Restart your computer.

==========================================================

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

O4 - HKLM\..\Run: [AOL Instant Messanger] aim.exe
O4 - HKLM\..\Run: [FLKPT] media64.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\nether.exe
O4 - HKLM\..\Run: [driver64] lpt.exe
O4 - HKLM\..\Run: [alij] C:\WINDOWS\system32\run940.exe dummy
O4 - HKLM\..\RunServices: [AOL Instant Messanger] aim.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD17C57A-8871-4169-AB87-C394338A94E6}: NameServer = 85.255.113.141,85.255.112.109
O17 - HKLM\System\CS1\Services\Tcpip\..\{AD17C57A-8871-4169-AB87-C394338A94E6}: NameServer = 85.255.113.141,85.255.112.109

O4 - HKLM\..\Run: [dmuxc.exe] C:\WINDOWS\system32\dmuxc.exe

Note: this line can be random, so put a check by any 04 line with a file name that starts with dm, like this: [dm***] - *** stands for random letters.

Click Fix Checked. Close HijackThis, and click OK to proceed.

==========================================================

Before we start deleting files and folders, please tell us if you can't see/delete any of them.

a. Files :C:\WINDOWS\nether.exe
C:\WINDOWS\system32\run940.exe
b. Folders :C:\Program Files\WinHound\
C:\Program Files\MsMovies\
c. Using Windows search : ( Start Search For Files or Folders )aim.exe
winlogi.exe
media64.exe
lpt.exe

==========================================================

Run an online scan at Panda's ActiveScan
  • Please go here and perform a full system scan.
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the big Check Now button.
  • Enter your Country.
  • Enter your State/Province.
  • Enter your Valid Email and click send.
  • Select either Home User or Company.
  • Click the big Scan Now button.
  • If it wants to install an ActiveX component allow it.
  • It will start downloading the files it requires for the scan.
  • Click on Local Disks to start the scan.
  • Save the log file created to your Desktop.
==========================================================

Ok, just a review of the logs you need to post:
  • HijackThis (new)
  • smitRem results (smitfiles.txt)
  • FixWareour results (C:\fixwareout\report.txt)
  • Panda Online Scan results
.
Good Luck,
Jet Ian

Edited by Papakid, 29 January 2006 - 10:40 AM.

Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#7 soccrmn7

soccrmn7
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 29 January 2006 - 01:35 PM

i could not locate any files or folders besides the msmovies folder.

Edited by soccrmn7, 29 January 2006 - 05:02 PM.


#8 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:09:17 PM

Posted 30 January 2006 - 05:09 AM

Ok, I need a new HijackThis log. Also include these logs:
  • smitRem results (smitfiles.txt)
  • FixWareour results (C:\fixwareout\report.txt)
  • Panda Online Scan results

Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#9 soccrmn7

soccrmn7
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 30 January 2006 - 02:49 PM

here are the logs thanks for ur time




Logfile of HijackThis v1.99.1
Scan saved at 11:45:56 AM, on 1/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Java\j2re1.4.0_04\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cran\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\nether.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LimeWire 4.0.5 Pro.lnk = C:\Program Files\LimeWire\LimeWire 4.0.5 Pro\LimeWire.exe
O4 - Global Startup: ME101 Configuration Utility.lnk = C:\Program Files\NETGEAR\ME101 Configuration Utility\wlancfg.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



=====================================================================



Fixwareout ver 1.003
Last edited 1/12/2006
Post this report in the forums please

Reg Entries that were deleted

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Search by size and names...

Misc files

Checking for older varients covered by the Rem3 tool


====================================================================



Incident Status Location

Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\.jpi_cache\file\1.0\Gummy.class-421ef8d3-1250e629.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\.jpi_cache\file\1.0\Gummy.class-50121646-3e41800c.class
Adware:Adware/Trymedia Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for Civilization III Gold Edition [ auto -bitorent ] by PeerAnia.com.zip\Civilization III Gold Edition [ auto -bitorent ] by PeerAnia.com.com
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Cran\Cookies\cran@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Cran\Cookies\cran@atdmt[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Cran\Cookies\cran@casalemedia[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Cran\Cookies\cran@doubleclick[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Cran\Cookies\cran@realmedia[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Cran\Cookies\cran@tradedoubler[1].txt
Adware:Adware/SearchExe Not disinfected C:\Documents and Settings\Cran\Desktop\backups\backup-20060127-021108-281.dll
Possible Virus. Not disinfected C:\Documents and Settings\Cran\Desktop\CWShredder.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Cran\Desktop\smitRem.exe[Process.exe]
Possible Virus. Not disinfected C:\Program Files\iTunes\iTunes.exe
Adware:Adware/TopSpyware Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B76DB6B9-BBCC-4FD5-848D-1E6C33\B9941B07-3E75-4155-9263-216B42
Possible Virus. Not disinfected C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMFWLaunch.exe
Possible Virus. Not disinfected C:\Program Files\Valve\Steam\Unwise32.exe
Possible Virus. Not disinfected C:\WINDOWS\$NtServicePackUninstall$\imjpinst.exe
Possible Virus. Not disinfected C:\WINDOWS\$NtServicePackUninstall$\mstinit.exe
Possible Virus. Not disinfected C:\WINDOWS\$NtServicePackUninstall$\proxycfg.exe
Possible Virus. Not disinfected C:\WINDOWS\$NtServicePackUninstall$\rasphone.exe
Possible Virus. Not disinfected C:\WINDOWS\$NtServicePackUninstall$\sspipes.scr
Possible Virus. Not disinfected C:\WINDOWS\$NtServicePackUninstall$\tlntsvr.exe
Possible Virus. Not disinfected C:\WINDOWS\$NtServicePackUninstall$\wuauclt.exe
Possible Virus. Not disinfected C:\WINDOWS\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\iTunesSetup.exe
Possible Virus. Not disinfected C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
Possible Virus. Not disinfected C:\WINDOWS\ServicePackFiles\i386\cmdl32.exe
Possible Virus. Not disinfected C:\WINDOWS\ServicePackFiles\i386\lang\imjpinst.exe
Possible Virus. Not disinfected C:\WINDOWS\ServicePackFiles\i386\lang\imscinst.exe
Possible Virus. Not disinfected C:\WINDOWS\ServicePackFiles\i386\sspipes.scr
Possible Virus. Not disinfected C:\WINDOWS\ServicePackFiles\i386\sstext3d.scr
Adware:adware/worldsearch Not disinfected C:\WINDOWS\system32\bhoimpl.dll
Virus:Trj/Agent.AZY Disinfected C:\WINDOWS\system32\cstwg.exe
Adware:adware/spysheriff Not disinfected C:\WINDOWS\system32\desktop.html
Dialer:Dialer.FGG Not disinfected C:\WINDOWS\system32\dial32.exe
Virus:Trj/Agent.AZY Disinfected C:\WINDOWS\system32\encodex.exe
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr111.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr112.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr131.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr140.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr16.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr193.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr253.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr254.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr272.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr273.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr282.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr304.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr313.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr315.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr344.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr36.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr387.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr395.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr401.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr406.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr407.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr414.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr416.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr447.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr448.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr48.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr486.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr496.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr498.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr504.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr538.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr539.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr541.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr556.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr575.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr597.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr608.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr621.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr638.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr651.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr661.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr699.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr721.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr723.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr731.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr733.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr734.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr742.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr745.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr755.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr786.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr795.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr803.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr804.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr805.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr813.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr828.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr844.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr846.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr863.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr87.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr879.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr887.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr905.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr917.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr927.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr936.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\ldr99.dll
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\per.exe
Adware:Adware/TopSpyware Not disinfected C:\WINDOWS\system32\srpcsrv32.dll
Virus:Trj/Downloader.GYL Disinfected C:\WINDOWS\system32\tt.exe
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\system32\ttttt.exe
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\tttttt.exe
Adware:Adware/TopSpyware Not disinfected C:\WINDOWS\system32\txfdb32.dll
Adware:Adware/TopSpyware Not disinfected C:\WINDOWS\system32\upd420.exe
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\upd459.exe
Adware:Adware/WinHound Not disinfected C:\WINDOWS\system32\upd522.exe
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\system32\upd568.exe
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\system32\upd810.exe
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\system32\upd902.exe
Possible Virus. Not disinfected C:\WINDOWS\uninst.exe

#10 soccrmn7

soccrmn7
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 30 January 2006 - 10:24 PM

heres and updated log

Logfile of HijackThis v1.99.1
Scan saved at 7:21:52 PM, on 1/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\DOCUME~1\Cran\LOCALS~1\Temp\990020367.tmp
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cran\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onlinesecurityguide.net/?adv=193
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\nether.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LimeWire 4.0.5 Pro.lnk = C:\Program Files\LimeWire\LimeWire 4.0.5 Pro\LimeWire.exe
O4 - Global Startup: ME101 Configuration Utility.lnk = C:\Program Files\NETGEAR\ME101 Configuration Utility\wlancfg.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:17 AM

Posted 31 January 2006 - 03:01 PM

Hi soccrmn7, sorry for the delay.

We need to see the log from SmitRem. Did you have any problems running it? If so, delete your old copy and download it again and try it again.

It's very important that you run it in safe mode and follow all other instructions to a T. And let us know where you encounter a problem.

There is a lot of strangeness in your log and something I'm curious about, so please also do this:

Go to Jotti's malware scan

Cick the browse button and navigate to the following file and then click Submit. You will only be able to do one at a time.

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMFWLaunch.exe
C:\Program Files\Valve\Steam\Unwise32.exe
C:\WINDOWS\$NtServicePackUninstall$\imjpinst.exe


Please post back the results from each scan along with the SmitRem log.

Also when was the last time you ran an updated full system scan with Norton? And what file system are you running--NTSF or FAT32?

The thing about people

is they change

when they walk away.--Mipso


#12 soccrmn7

soccrmn7
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 31 January 2006 - 08:54 PM

For the SmitRem logs, i ran the program in safe mode and it ran through the program and said nothing was found and ran the disk cleanup , but never gave me an option to save a log and i could not locate a log to send. if im missing something please let me no and ill get u the log asap the reprts of the other files are listed below. i ran an updated scan about a week ago and im running NTSF file system...thanks alot
===================================================================


File: MMFWLaunch.exe
Status: OK
MD5 9baadfb0aa4de4a2233aa5d298119afb
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
==============================================================

File: Unwise32.exe
Status: OK
MD5 628127e44b3293caaf285344571bcc5f
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
===============================================================

File: imjpinst.exe
Status: OK
MD5 09b0ba0aa76759adc6860e2315e3502d
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

-==========================================================

#13 soccrmn7

soccrmn7
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 31 January 2006 - 08:56 PM

also heres and updated hijackthis log cus i beleive a few things have changed

Logfile of HijackThis v1.99.1
Scan saved at 5:54:25 PM, on 1/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Java\j2re1.4.0_04\bin\javaw.exe
C:\Program Files\Symantec AntiVirus\VPC32.EXE
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Cran\LOCALS~1\Temp\9254808.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Documents and Settings\Cran\Desktop\HijackThis.exe

F3 - REG:win.ini: run=C:\WINDOWS\system32\wuau32.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\nether.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LimeWire 4.0.5 Pro.lnk = C:\Program Files\LimeWire\LimeWire 4.0.5 Pro\LimeWire.exe
O4 - Global Startup: ME101 Configuration Utility.lnk = C:\Program Files\NETGEAR\ME101 Configuration Utility\wlancfg.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#14 Jag11

Jag11

  • Members
  • 1,027 posts
  • OFFLINE
  •  
  • Location:127.0.0.1
  • Local time:09:17 PM

Posted 02 February 2006 - 10:12 AM

Sorry for the delay Soccrmn7.

==========================================================

Please follow the instructions provided, you may want to print out these instructions and use them as a reference. If you have any questions regarding the fix, please ask us before proceeding.

==========================================================

Please download ATF Cleaner by Atribune.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Main at the top and choose Select All from the list.
  • Click the Empty Selected button.
Click Exit on the Main menu to close the program.

==========================================================

Please download Killbox to your Desktop.
  • Double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C on your keyboard.


    C:\WINDOWS\system32\bhoimpl.dll
    C:\WINDOWS\system32\cstwg.exe
    C:\WINDOWS\system32\desktop.html
    C:\WINDOWS\system32\dial32.exe
    C:\WINDOWS\system32\encodex.exe
    C:\WINDOWS\system32\ldr111.dll
    C:\WINDOWS\system32\ldr112.dll
    C:\WINDOWS\system32\ldr131.dll
    C:\WINDOWS\system32\ldr140.dll
    C:\WINDOWS\system32\ldr16.dll
    C:\WINDOWS\system32\ldr193.dll
    C:\WINDOWS\system32\ldr253.dll
    C:\WINDOWS\system32\ldr254.dll
    C:\WINDOWS\system32\ldr272.dll
    C:\WINDOWS\system32\ldr273.dll
    C:\WINDOWS\system32\ldr282.dll
    C:\WINDOWS\system32\ldr304.dll
    C:\WINDOWS\system32\ldr313.dll
    C:\WINDOWS\system32\ldr315.dll
    C:\WINDOWS\system32\ldr344.dll
    C:\WINDOWS\system32\ldr36.dll
    C:\WINDOWS\system32\ldr387.dll
    C:\WINDOWS\system32\ldr395.dll
    C:\WINDOWS\system32\ldr401.dll
    C:\WINDOWS\system32\ldr406.dll
    C:\WINDOWS\system32\ldr407.dll
    C:\WINDOWS\system32\ldr414.dll
    C:\WINDOWS\system32\ldr416.dll
    C:\WINDOWS\system32\ldr447.dll
    C:\WINDOWS\system32\ldr448.dll
    C:\WINDOWS\system32\ldr48.dll
    C:\WINDOWS\system32\ldr486.dll
    C:\WINDOWS\system32\ldr496.dll
    C:\WINDOWS\system32\ldr498.dll
    C:\WINDOWS\system32\ldr504.dll
    C:\WINDOWS\system32\ldr538.dll
    C:\WINDOWS\system32\ldr539.dll
    C:\WINDOWS\system32\ldr541.dll
    C:\WINDOWS\system32\ldr556.dll
    C:\WINDOWS\system32\ldr575.dll
    C:\WINDOWS\system32\ldr597.dll
    C:\WINDOWS\system32\ldr608.dll
    C:\WINDOWS\system32\ldr621.dll
    C:\WINDOWS\system32\ldr638.dll
    C:\WINDOWS\system32\ldr651.dll
    C:\WINDOWS\system32\ldr661.dll
    C:\WINDOWS\system32\ldr699.dll
    C:\WINDOWS\system32\ldr721.dll
    C:\WINDOWS\system32\ldr723.dll
    C:\WINDOWS\system32\ldr731.dll
    C:\WINDOWS\system32\ldr733.dll
    C:\WINDOWS\system32\ldr734.dll
    C:\WINDOWS\system32\ldr742.dll
    C:\WINDOWS\system32\ldr745.dll
    C:\WINDOWS\system32\ldr755.dll
    C:\WINDOWS\system32\ldr786.dll
    C:\WINDOWS\system32\ldr795.dll
    C:\WINDOWS\system32\ldr803.dll
    C:\WINDOWS\system32\ldr804.dll
    C:\WINDOWS\system32\ldr805.dll
    C:\WINDOWS\system32\ldr813.dll
    C:\WINDOWS\system32\ldr828.dll
    C:\WINDOWS\system32\ldr844.dll
    C:\WINDOWS\system32\ldr846.dll
    C:\WINDOWS\system32\ldr863.dll
    C:\WINDOWS\system32\ldr87.dll
    C:\WINDOWS\system32\ldr879.dll
    C:\WINDOWS\system32\ldr887.dll
    C:\WINDOWS\system32\ldr905.dll
    C:\WINDOWS\system32\ldr917.dll
    C:\WINDOWS\system32\ldr927.dll
    C:\WINDOWS\system32\ldr936.dll
    C:\WINDOWS\system32\ldr99.dll
    C:\WINDOWS\system32\per.exe
    C:\WINDOWS\system32\srpcsrv32.dll
    C:\WINDOWS\system32\tt.exe
    C:\WINDOWS\system32\ttttt.exe
    C:\WINDOWS\system32\tttttt.exe
    C:\WINDOWS\system32\txfdb32.dll
    C:\WINDOWS\system32\upd420.exe
    C:\WINDOWS\system32\upd459.exe
    C:\WINDOWS\system32\upd522.exe
    C:\WINDOWS\system32\upd568.exe
    C:\WINDOWS\system32\upd810.exe
    C:\WINDOWS\system32\upd902.exe
    C:\Documents and Settings\Cran\Desktop\backups\backup-20060127-021108-281.dll
    C:\WINDOWS\nether.exe
    C:\WINDOWS\system32\wuau32.exe

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

==========================================================

Run HijackThis

Please open HJT, click Do a system scan only, and then place a checkmark beside each of these entries:

F3 - REG:win.ini: run=C:\WINDOWS\system32\wuau32.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\nether.exe
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)


After placing all the checkmarks, close all windows (except HJT), and then hit Fix Checked. When it finishes, exit HJT.

==========================================================

Please post a new HijackThis log on your next reply.

.
Thanks,
Jet Ian

Posted Image
Proud member of ASAP and UNITE since 2006.
Everyone wants to go to heaven, but no one wants to die.

.

#15 soccrmn7

soccrmn7
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 04 February 2006 - 02:42 PM

sorry for the delay, i downloaded all the programs and followed the instructions after running killbox i did receive the PendingFileRenameOperations prompt message . here is an updated log thanks

Logfile of HijackThis v1.99.1
Scan saved at 11:38:21 AM, on 2/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1139078202\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1139078202\ee\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Documents and Settings\Cran\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onlinesecurityguide.net/?adv=193
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139078202\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: asheriff.lnk = C:\Program Files\AdwareSheriff\asheriff.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LimeWire 4.0.5 Pro.lnk = C:\Program Files\LimeWire\LimeWire 4.0.5 Pro\LimeWire.exe
O4 - Global Startup: ME101 Configuration Utility.lnk = C:\Program Files\NETGEAR\ME101 Configuration Utility\wlancfg.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users