Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log: Please Help Diagnose


  • Please log in to reply
11 replies to this topic

#1 Blastedw0lf4

Blastedw0lf4

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 22 June 2006 - 05:03 PM

hey all, havent posted up here in a while..neways yea caught something along the way man. heres the log


Logfile of HijackThis v1.99.1
Scan saved at 5:59:53 PM, on 6/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RGFubnk\command.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\CCZoop05.exe
C:\WINDOWS\win320865-8659703.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\istt\ossr.exe
C:\PROGRA~1\PPPATC~1\RNDLL3~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis!\HijackThis.exe

R3 - URLSearchHook: (no name) - {53F92A2D-CEBF-944B-919D-96FC2B82B199} - C:\WINDOWS\system32\nvxob.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\rjkrc.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,cervmbi.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - HKLM\..\Run: [win320865-8659703] C:\WINDOWS\win320865-8659703.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [Maep] "C:\Program Files\istt\ossr.exe" -vt yazb
O4 - HKCU\..\Run: [Spe] C:\PROGRA~1\PPPATC~1\RNDLL3~1.EXE
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/ie/b...a2e20feddcac6ee
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchost.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGFubnk\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

ne help would be greatly appreciated

thanx guyz
:thumbsup:

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 22 June 2006 - 05:10 PM

Oh you've caught things alright!

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 22 June 2006 - 06:09 PM

alirght well it scanned for a very long time lol and removed some stuff I restarted it as well and it removed even more stuff .. now im back to the desktop and enclosing the Hijack This log..the log for spy sweeper idk where it saved to .. or even if it ran... didint kno where that option was ... dont even kno if you mentioned where it was lol..but newayz here the HiJack This Log... Thankz alot man:

Logfile of HijackThis v1.99.1
Scan saved at 7:08:44 PM, on 6/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\win320865-8659703.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\PROGRA~1\PPPATC~1\RNDLL3~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis!\HijackThis.exe

R3 - URLSearchHook: (no name) - {53F92A2D-CEBF-944B-919D-96FC2B82B199} - C:\WINDOWS\system32\nvxob.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\rjkrc.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,cervmbi.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [win320865-8659703] C:\WINDOWS\win320865-8659703.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [Maep] "C:\Program Files\istt\ossr.exe" -vt yazb
O4 - HKCU\..\Run: [Spe] C:\PROGRA~1\PPPATC~1\RNDLL3~1.EXE
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchost.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

#4 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 22 June 2006 - 08:27 PM

alright got the log from spy sweeper here it is ********
8:56 PM: | Start of Session, Thursday, June 22, 2006 |
8:56 PM: Spy Sweeper started
8:56 PM: Sweep initiated using definitions version 705
8:56 PM: Starting Memory Sweep
8:56 PM: Found Adware: purityscan
8:56 PM: Detected running threat: C:\WINDOWS\system32\qml.dll (ID = 230)
8:57 PM: Detected running threat: C:\Program Files\Common Files\s?stem\explorer.exe (ID = 230)
8:58 PM: Memory Sweep Complete, Elapsed Time: 00:02:21
8:58 PM: Starting Registry Sweep
8:59 PM: Found Adware: enbrowser
8:59 PM: HKLM\software\system\sysold\ (2 subtraces) (ID = 926808)
8:59 PM: HKU\S-1-5-21-1644491937-1078145449-839522115-1003\software\system\sysuid\ (1 subtraces) (ID = 731748)
8:59 PM: Registry Sweep Complete, Elapsed Time:00:00:07
8:59 PM: Starting Cookie Sweep
8:59 PM: Found Spy Cookie: 888 cookie
8:59 PM: danny@888[1].txt (ID = 2019)
8:59 PM: danny@888[2].txt (ID = 2019)
8:59 PM: Found Spy Cookie: advertising cookie
8:59 PM: danny@advertising[2].txt (ID = 2175)
8:59 PM: Found Spy Cookie: falkag cookie
8:59 PM: danny@as-eu.falkag[1].txt (ID = 2650)
8:59 PM: Found Spy Cookie: cassava cookie
8:59 PM: danny@cassava[1].txt (ID = 2362)
8:59 PM: Found Spy Cookie: realmedia cookie
8:59 PM: danny@realmedia[1].txt (ID = 3235)
8:59 PM: Found Spy Cookie: reliablestats cookie
8:59 PM: danny@stats1.reliablestats[1].txt (ID = 3254)
8:59 PM: danny@www.888[1].txt (ID = 2020)
8:59 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:59 PM: Starting File Sweep
8:59 PM: Found Adware: clkoptimizer
8:59 PM: a0043343.dll (ID = 269825)
9:00 PM: a0043342.exe (ID = 279637)
9:00 PM: Found Adware: ezula ilookup
9:00 PM: a0043337.exe (ID = 279493)
9:00 PM: Found Adware: elitemediagroup-pop64
9:00 PM: a0043335.exe (ID = 296393)
9:01 PM: Found Adware: mirar webband
9:01 PM: a0043339.exe (ID = 185463)
9:01 PM: a0043322.exe (ID = 213483)
9:01 PM: Found Adware: command
9:01 PM: a0043334.exe (ID = 235944)
9:02 PM: a0043344.exe (ID = 269829)
9:02 PM: a0043320.exe (ID = 268932)
9:02 PM: a0043346.dll (ID = 236453)
9:02 PM: a0043329.exe (ID = 144946)
9:02 PM: a0043317.exe (ID = 268995)
9:02 PM: a0043345.exe (ID = 269829)
9:04 PM: a0043319.dll (ID = 268799)
9:09 PM: a0043325.exe (ID = 296330)
9:10 PM: a0043336.dll (ID = 299522)
9:10 PM: a0043328.exe (ID = 296335)
9:10 PM: !update-3895[1].0000 (ID = 296027)
9:10 PM: Found Adware: elitemediagroup-mediamotor
9:10 PM: a0043324.tlb (ID = 310783)
9:10 PM: a0043330.exe (ID = 231443)
9:10 PM: a0043333.vbs (ID = 231442)
9:11 PM: a0043327.exe (ID = 296334)
9:12 PM: a0043318.exe (ID = 268798)
9:12 PM: The Spy Communication shield has blocked access to: paypopup.com
9:12 PM: The Spy Communication shield has blocked access to: paypopup.com
9:12 PM: The Spy Communication shield has blocked access to: paypopup.com
9:12 PM: The Spy Communication shield has blocked access to: paypopup.com
9:12 PM: a0043332.dll (ID = 166754)
9:13 PM: Found Adware: winantivirus pro
9:13 PM: winantiviruspro2006freeinstall[1].cab (ID = 304688)
9:15 PM: a0043323.exe (ID = 305735)
9:16 PM: a0043326.exe (ID = 301974)
9:19 PM: a0043338.dll (ID = 208226)
9:22 PM: a0043331.vbs (ID = 185675)
9:24 PM: Warning: Unhandled Archive Type
9:24 PM: Warning: Unhandled Archive Type
9:24 PM: Warning: Invalid Stream
9:24 PM: Warning: Invalid Stream
9:24 PM: Warning: Invalid Stream
9:24 PM: File Sweep Complete, Elapsed Time: 00:25:32
9:24 PM: Full Sweep has completed. Elapsed time 00:28:08
9:24 PM: Traces Found: 44
9:25 PM: Removal process initiated
9:25 PM: Quarantining All Traces: clkoptimizer
9:25 PM: Quarantining All Traces: purityscan
9:25 PM: Quarantining All Traces: elitemediagroup-mediamotor
9:25 PM: Quarantining All Traces: enbrowser
9:25 PM: Quarantining All Traces: command
9:25 PM: Quarantining All Traces: elitemediagroup-pop64
9:25 PM: Quarantining All Traces: ezula ilookup
9:25 PM: Quarantining All Traces: mirar webband
9:25 PM: Quarantining All Traces: winantivirus pro
9:25 PM: Quarantining All Traces: 888 cookie
9:25 PM: Quarantining All Traces: advertising cookie
9:25 PM: Quarantining All Traces: cassava cookie
9:25 PM: Quarantining All Traces: falkag cookie
9:25 PM: Quarantining All Traces: realmedia cookie
9:25 PM: Quarantining All Traces: reliablestats cookie
9:26 PM: Removal process completed. Elapsed time 00:00:54
********
8:54 PM: | Start of Session, Thursday, June 22, 2006 |
8:54 PM: Spy Sweeper started
8:55 PM: Your spyware definitions have been updated.
8:56 PM: | End of Session, Thursday, June 22, 2006 |

#5 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 23 June 2006 - 10:30 AM

You may want to print this or save it to notepad as we will go to safe mode.

1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall


==================
download http://www.mvps.org/winhelp2002/DelDomains.inf

Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.
=====================

Fix these with HJT – mark them, close IE, click fix checked

R3 - URLSearchHook: (no name) - {53F92A2D-CEBF-944B-919D-96FC2B82B199} - C:\WINDOWS\system32\nvxob.dll

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\rjkrc.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,cervmbi.exe

O4 - HKLM\..\Run: [win320865-8659703] C:\WINDOWS\win320865-8659703.exe

O4 - HKCU\..\Run: [Maep] "C:\Program Files\istt\ossr.exe" -vt yazb

O4 - HKCU\..\Run: [Spe] C:\PROGRA~1\PPPATC~1\RNDLL3~1.EXE

O20 - AppInit_DLLs: C:\WINDOWS\system32\svchost.dll

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Delete on reboot. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\win320865-8659703.exe
C:\Program Files\istt
C:\PROGRA~1\PPPATC~1
C:\WINDOWS\system32\svchost.dll
C:\WINDOWS\system32\rjkrc.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system


Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.
================
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#6 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 23 June 2006 - 07:57 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:54:48 PM, on 6/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\PPPATC~1\RNDLL3~1.EXE
C:\PROGRA~1\COMMON~1\SSTEM~1\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\win32095-865970362006.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis!\HijackThis.exe

R3 - URLSearchHook: (no name) - {5F217341-CC82-9774-A560-9C1CF5EFE4CF} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ms0570365-8659] C:\WINDOWS\ms0570365-8659.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [Spe] C:\PROGRA~1\PPPATC~1\RNDLL3~1.EXE
O4 - HKCU\..\Run: [Maep] "C:\PROGRA~1\COMMON~1\SSTEM~1\explorer.exe" -vt ndrv
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: svchost.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)



and then this 1..


Start Time= Fri 06/23/2006 20:34:08.89
Running from: C:\DOCUME~1\DANNY\DESKTOP\COMBOFIX.EXE

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-06-23 01:24:54 143360 ( A.... ) "C:\WINDOWS\sys035970365-862006.exe"
2006-06-22 20:54:44 ( .D... ) "C:\Program Files\Webroot"
2006-06-22 20:54:44 ( .D... ) "C:\Documents and Settings\Danny\Application Data\Webroot"
2006-06-22 19:36:26 2 ( A.... ) "C:\WINDOWS\system32\wtssvit.exe"
2006-06-22 19:36:26 ( .D... ) "C:\Documents and Settings\Danny\Application Data\s?curity"
2006-06-22 19:36:10 ( .D... ) "C:\Program Files\Common Files\s?stem"
2006-06-22 19:23:34 143360 ( A.... ) "C:\WINDOWS\ms0570365-8659.exe"
2006-06-22 18:48:56 519 ( A.... ) "C:\WINDOWS\auaut.dll"
2006-06-22 07:56:58 32976 ( A.... ) "C:\WINDOWS\system32\uninstIcn.exe"
2006-06-22 07:51:14 81920 ( ..... ) "C:\WINDOWS\system32\svchost.dll"
2006-06-22 07:51:14 ( .D... ) "C:\Program Files\àppPatch"
2006-06-22 07:51:04 ( .D... ) "C:\Program Files\istt"
2006-06-20 10:55:24 389120 ( A.... ) "C:\WINDOWS\system32\nodeipproc.dll"
2006-06-08 21:19:50 5967776 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-06-08 01:53:52 ( .D... ) "C:\Program Files\MTA San Andreas"
2006-06-07 06:14:48 ( .D... ) "C:\Program Files\Eidos"
2006-06-07 04:09:40 ( .D... ) "C:\Program Files\EA SPORTS"
2006-06-07 03:50:18 ( .D... ) "C:\Program Files\Innovatools"
2006-06-07 03:32:32 ( .D... ) "C:\Program Files\LIUtilities"
2006-06-07 03:24:58 ( .D... ) "C:\Program Files\CleanMyPC"
2006-06-01 14:47:08 163840 ( A.... ) "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 14:47:08 27648 ( A.... ) "C:\WINDOWS\system32\jgpl400.dll"
2006-05-29 11:30:34 1494016 ( A.... ) "C:\WINDOWS\system32\shdocvw.dll"
2006-05-24 04:25:36 ( .D... ) "C:\Program Files\TriglowPictures"
2006-05-22 23:44:54 ( .D... ) "C:\Program Files\directx"
2006-05-19 11:08:32 3052544 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2006-05-18 01:24:26 450560 ( A.... ) "C:\WINDOWS\system32\jscript.dll"
2006-05-11 04:23:24 24576 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2006-05-10 01:23:04 658432 ( A.... ) "C:\WINDOWS\system32\wininet.dll"
2006-05-10 01:23:02 613888 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2006-05-10 01:23:02 532480 ( A.... ) "C:\WINDOWS\system32\mstime.dll"
2006-05-10 01:23:02 474112 ( A.... ) "C:\WINDOWS\system32\shlwapi.dll"
2006-05-10 01:23:02 448512 ( A.... ) "C:\WINDOWS\system32\mshtmled.dll"
2006-05-10 01:23:02 146432 ( A.... ) "C:\WINDOWS\system32\msrating.dll"
2006-05-10 01:23:02 39424 ( A.... ) "C:\WINDOWS\system32\pngfilt.dll"
2006-05-10 01:23:00 1054208 ( A.... ) "C:\WINDOWS\system32\danim.dll"
2006-05-10 01:23:00 1022976 ( A.... ) "C:\WINDOWS\system32\browseui.dll"
2006-05-10 01:23:00 357888 ( A.... ) "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-10 01:23:00 251392 ( A.... ) "C:\WINDOWS\system32\iepeers.dll"
2006-05-10 01:23:00 205312 ( A.... ) "C:\WINDOWS\system32\dxtrans.dll"
2006-05-10 01:23:00 151040 ( A.... ) "C:\WINDOWS\system32\cdfview.dll"
2006-05-10 01:23:00 96256 ( A.... ) "C:\WINDOWS\system32\inseng.dll"
2006-05-10 01:23:00 55808 ( A.... ) "C:\WINDOWS\system32\extmgr.dll"
2006-05-10 01:23:00 16384 ( A.... ) "C:\WINDOWS\system32\jsproxy.dll"
2006-05-09 00:59:36 ( .D... ) "C:\Program Files\Common Files\SystemRequirementsLab"
2006-04-30 13:02:16 ( .D... ) "C:\Documents and Settings\Danny\Application Data\Roxio"
2006-04-30 12:48:24 ( .D... ) "C:\Program Files\Roxio"
2006-04-30 12:48:24 ( .D... ) "C:\Program Files\Common Files\Roxio Shared"
2006-04-30 01:32:30 ( .D... ) "C:\Program Files\vso"
2006-04-29 22:20:32 ( .D... ) "C:\Program Files\X Software"
2006-04-29 06:07:48 5533696 ( A.... ) "C:\WINDOWS\system32\wmp.dll"
2006-04-23 01:09:04 ( .D... ) "C:\Program Files\ESPNMotion"
2006-04-23 01:09:04 ( .D... ) "C:\Program Files\DIGStream"
2006-04-23 01:09:00 ( .D... ) "C:\Program Files\ESPN"
2006-04-23 01:08:58 ( .D... ) "C:\Program Files\ESPNRunTime"
2006-04-10 13:00:34 555824 ( A.... ) "C:\WINDOWS\system32\LegitCheckControl.dll"
2006-04-10 13:00:30 144688 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-04-10 13:00:28 186672 ( ..... ) "C:\WINDOWS\system32\WgaTray.exe"
2006-03-30 23:57:24 65536 ( A.... ) "C:\WINDOWS\IFinst27.exe"
2006-03-27 14:22:58 286720 ( ..... ) "C:\WINDOWS\Setup1.exe"
2006-03-27 14:22:58 73216 ( A.... ) "C:\WINDOWS\ST6UNST.EXE"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"DeadAIM"="rundll32.exe \"C:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ms0570365-8659"="C:\\WINDOWS\\ms0570365-8659.exe"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Registry Cleaner Scheduler"="\"C:\\Program Files\\CleanMyPC\\Registry Cleaner\\RCScheduler.exe\" /startup"
"Maep"="\"C:\\PROGRA~1\\COMMON~1\\SSTEM~1\\explorer.exe\" -vt ndrv"
"Spe"="C:\\PROGRA~1\\PPPATC~1\\RNDLL3~1.EXE"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Danny^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"path"="C:\\Documents and Settings\\Danny\\Start Menu\\Programs\\Startup\\LimeWire On Startup.lnk"
"backup"="C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup"
"location"="Startup"
"command"="\"C:\\Program Files\\LimeWire\\LimeWire.exe\" -startup"
"item"="LimeWire On Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DAEMON Tools"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DIGServices"
"hkey"="HKLM"
"command"="C:\\Program Files\\ESPNRunTime\\DIGServices.exe /brand=ESPN /priority=0 /poll=24"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DIGStream"
"hkey"="HKLM"
"command"="C:\\Program Files\\DIGStream\\digstream.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Picasa Media Detector"
"hkey"="HKLM"
"command"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QuickTime Task"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="\"c:\\program files\\steam\\steam.exe\" -silent"
"inimapping"="0"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\XoftSpy.job

Completion time: Fri 06/23/2006 20:36:10.84
ComboFix ver 06.06.24 - This logfile is located at C:\ComboFix.txt


when i was doing hjackthis tryin to remove the O20 string w/ the appint it didint let me remove it .. an error popped up or something ??

#7 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 24 June 2006 - 08:40 AM

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HJT – mark them, close IE, click fix checked

R3 - URLSearchHook: (no name) - {5F217341-CC82-9774-A560-9C1CF5EFE4CF} - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [ms0570365-8659] C:\WINDOWS\ms0570365-8659.exe

O4 - HKCU\..\Run: [Spe] C:\PROGRA~1\PPPATC~1\RNDLL3~1.EXE

O4 - HKCU\..\Run: [Maep] "C:\PROGRA~1\COMMON~1\SSTEM~1\explorer.exe" -vt ndrv

O20 - AppInit_DLLs: svchost.dll

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Delete on reboot. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\PROGRA~1\PPPATC~1
C:\PROGRA~1\COMMON~1\SSTEM~1
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\win32095-865970362006.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#8 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 24 June 2006 - 01:41 PM

i've done all you have instructed..for the most part..the popups have stopped..but this is just the 1st couple of minutes since i've done all this ..lets c what happenz over like a half hour course of time ...also.

O20 - AppInit_DLLs: svchost.dll

this string gives me problems when i try to remove it off of Hijackthis...it reminas as you will c in my log .. heres that log btw

Logfile of HijackThis v1.99.1
Scan saved at 2:37:12 PM, on 6/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\PROGRA~1\PPPATC~1\RNDLL3~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis!\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [Spe] C:\PROGRA~1\PPPATC~1\RNDLL3~1.EXE
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: svchost.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

#9 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 24 June 2006 - 01:46 PM

just got a popup right now :thumbsup:

#10 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 24 June 2006 - 02:28 PM

It is critical that you use Delete on reboot to delete the files in this fix

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HJT – mark them, close IE, click fix checked

O4 - HKCU\..\Run: [Spe] C:\PROGRA~1\PPPATC~1\RNDLL3~1.EXE

O20 - AppInit_DLLs: svchost.dll

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
=============
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

Network Monitor

Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.

============
DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\PROGRAM FILES\PPPATC~1
C:\WINDOWS\System32\svchost.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#11 Blastedw0lf4

Blastedw0lf4
  • Topic Starter

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:07:09 PM

Posted 24 June 2006 - 03:21 PM

1nce agen ..done as you've instructed to the Tee .. just everytime i try to remove the svchost.dll in Hjackthis I get an error ----- An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: svchost.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.



heres the present hijack this log as well ----

Logfile of HijackThis v1.99.1
Scan saved at 4:20:44 PM, on 6/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis!\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [Maep] "C:\PROGRA~1\COMMON~1\SSTEM~1\explorer.exe" -vt ndrv
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#12 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 24 June 2006 - 03:46 PM

I just realized !!!!!!

You have no active AntiVirus!

Get the free AVG 7 install it, check for updates and run a full scan

AVG 7 - http://free.grisoft.com/freeweb.php/doc/2/

===================
Well the O20 is gone but this came back - fix the entry

O4 - HKCU\..\Run: [Maep] "C:\PROGRA~1\COMMON~1\SSTEM~1\explorer.exe" -vt ndrv

Delete the folder

C:\PROGRAM FILES\COMMON FILES\SSTEM~1
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users