Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Here's My Log Please Help!


  • Please log in to reply
26 replies to this topic

#1 deathrunner

deathrunner

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 14 September 2006 - 01:52 AM

OK, I just read the post on what to do before posting a log file.

I ran, panda, stinger, and all others recommended as well as my Norton program.

My problem is that I have a redirecting virus. When I click links on websites, the virus will send me to various pornography sites. I can't even check bleeping computer site very well. Sometimes, on the 5th or 6th attempt, I will get thrpugh to where I actually want to be. Also, if I restart my computer with teh modem connected, the computer freezes. I have to start with the modem off and then turn it on after the computer is on. So, it seems like the virus comes to life when it senses the connection at startup.

Here's my new log file:

Logfile of HijackThis v1.99.1
Scan saved at 10:54:20 AM, on 9/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.line6.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139033881687
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{263CD671-7309-4273-A88B-3C13CCCC3604}: NameServer = 85.255.116.103,85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\..\{86267162-281B-4E6D-9F04-03E9E9836ED4}: NameServer = 85.255.116.103,85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBC0F3F7-3A58-4F18-80D7-6438786539D7}: NameServer = 85.255.116.103,85.255.112.214
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.103 85.255.112.214
O17 - HKLM\System\CS1\Services\Tcpip\..\{263CD671-7309-4273-A88B-3C13CCCC3604}: NameServer = 85.255.116.103,85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.103 85.255.112.214
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by deathrunner, 15 September 2006 - 01:41 AM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:59 PM

Posted 18 September 2006 - 08:34 AM

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log

#3 deathrunner

deathrunner
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 18 September 2006 - 10:35 AM

Awesome Thanks For Your HELP!


Here's the new hi jack this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:33:28 AM, on 9/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.line6.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139033881687
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{263CD671-7309-4273-A88B-3C13CCCC3604}: NameServer = 85.255.116.103,85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\..\{86267162-281B-4E6D-9F04-03E9E9836ED4}: NameServer = 85.255.116.103,85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBC0F3F7-3A58-4F18-80D7-6438786539D7}: NameServer = 85.255.116.103,85.255.112.214
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.103 85.255.112.214
O17 - HKLM\System\CS1\Services\Tcpip\..\{263CD671-7309-4273-A88B-3C13CCCC3604}: NameServer = 85.255.116.103,85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.103 85.255.112.214
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:59 PM

Posted 18 September 2006 - 01:31 PM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R3 - Default URLSearchHook is missing
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.line6.net

Reboot your computer.

Enter your control panel and double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.

Then post a new log and tell me if its better.

#5 deathrunner

deathrunner
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 18 September 2006 - 02:39 PM

Allright, I did everything. The computer does seem to run quicker now. That's great. But I tried to see fi there was still a redirecting issue. It's notnearly as common, but it still occurs occasionally.

Here is my new log:

Logfile of HijackThis v1.99.1
Scan saved at 12:35:34 PM, on 9/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139033881687
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{263CD671-7309-4273-A88B-3C13CCCC3604}: NameServer = 85.255.116.103,85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBC0F3F7-3A58-4F18-80D7-6438786539D7}: NameServer = 85.255.116.103,85.255.112.214
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.103 85.255.112.214
O17 - HKLM\System\CS1\Services\Tcpip\..\{263CD671-7309-4273-A88B-3C13CCCC3604}: NameServer = 85.255.116.103,85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.103 85.255.112.214
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



Also, do I need all of those processes? I'm not sure what the different svchosts are. hmmmm

By the way, thanks a ton for your help!

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:59 PM

Posted 18 September 2006 - 03:54 PM

Download http://www.bleepingcomputer.com/files/winpfind.php

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

#7 deathrunner

deathrunner
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 19 September 2006 - 12:10 AM

Here's the new log, THANKS:




WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Logfile created on: 9/18/2006 9:49:33 PM
WinPFind v1.5.0 Folder = C:\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

Checking Selected Standard Folders

Checking %SystemDrive% folder...
UPX! 2/12/2006 6:34:20 PM 45568 C:\ATF-Cleaner.exe (Atribune.org)

Checking %ProgramFilesDir% folder...
aspack 11/14/2004 9:13:52 AM 403968 C:\Program Files\JustZIPit.exe (AvatarSoft)

Checking %WinDir% folder...

Checking %System% folder...
WSUD 6/20/2005 7:09:06 PM R 18751488 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
PEC2 9/3/2002 9:30:40 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
UPX! 4/11/2000 8:44:56 PM 85504 C:\WINDOWS\SYSTEM32\lame_enc.dll ()
PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll (Microsoft Corporation)
PECompact2 9/11/2006 10:37:22 AM 8960936 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 9/11/2006 10:37:22 AM 8960936 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 8/4/2004 12:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD 8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor 8/4/2004 12:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
winsync 9/3/2002 10:10:48 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe (Microsoft Corporation)

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 10:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys (Smart Link)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/18/2006 9:48:30 PM S 2048 C:\WINDOWS\bootstat.dat ()
9/16/2006 2:03:36 AM H 54156 C:\WINDOWS\QTFont.qfn ()
7/28/2006 5:16:08 AM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918899.cat ()
7/27/2006 7:00:28 AM S 10337 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920214.cat ()
7/21/2006 2:03:14 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920670.cat ()
8/21/2006 6:00:10 AM S 11749 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB922582.cat ()
9/18/2006 9:48:20 PM H 8192 C:\WINDOWS\system32\config\default.LOG ()
9/18/2006 9:48:42 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
9/18/2006 9:48:32 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG ()
9/18/2006 9:48:50 PM H 98304 C:\WINDOWS\system32\config\software.LOG ()
9/18/2006 9:48:36 PM H 1142784 C:\WINDOWS\system32\config\system.LOG ()
9/14/2006 10:21:22 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG ()
9/6/2006 12:49:20 PM S 18 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 ()
9/6/2006 12:49:20 PM S 21069 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 ()
9/6/2006 12:49:20 PM S 216 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 ()
9/6/2006 12:49:20 PM S 216 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 ()
9/14/2006 9:37:50 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\80376d4e-09f6-4be6-9cc9-f2ab73d1c833 ()
9/14/2006 9:37:50 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred ()
8/6/2006 2:11:42 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\4e760722-0d2a-4feb-9071-e8bdf4081bd2 ()
8/6/2006 2:11:42 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
9/18/2006 9:46:40 PM H 6 C:\WINDOWS\Tasks\SA.DAT ()

Checking for CPL files...
8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
6/20/2005 7:09:06 PM R 18751488 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
8/4/2004 12:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
7/26/2006 3:03:14 AM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
6/26/2003 9:41:40 AM 65536 C:\WINDOWS\SYSTEM32\l6gpcpl.cpl (Line 6)
10/5/2004 6:58:10 PM 65536 C:\WINDOWS\SYSTEM32\l6pxtcpl.cpl (Line 6)
9/3/2002 9:40:02 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
9/3/2002 9:47:04 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
2/25/2004 2:39:34 AM 205944 C:\WINDOWS\SYSTEM32\plotman.cpl (Autodesk, Inc.)
8/4/2004 12:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
2/25/2004 2:39:44 AM 205944 C:\WINDOWS\SYSTEM32\styleman.cpl (Autodesk, Inc.)
8/4/2004 12:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
9/3/2002 10:06:38 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
8/4/2004 12:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
5/26/2005 5:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
9/3/2002 9:40:02 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
9/3/2002 9:47:04 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
9/3/2002 10:06:38 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab
{6414512B-B978-451D-A0D8-FCFDF33E833C} - WUWebControl Class - CodeBase = http://update.microsoft.com/windowsupdate/...b?1139033881687
{72C9EA8F-8965-40C2-ABAD-D460A5815F86} - hostCntrlIE Class - CodeBase = http://host.oddcast.com/hostClientIE.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - Java Plug-in 1.5.0_04 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
2/3/2006 3:17:48 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
1/27/2006 7:08:28 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()
5/5/2006 1:58:42 PM 12 C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt ()
5/6/2006 2:52:38 AM 1359 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache ()

Checking files in %USERPROFILE%\Startup folder...
2/3/2006 3:17:48 PM HS 84 C:\Documents and Settings\Lewis Vagina\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %USERPROFILE%\Application Data folder...
1/27/2006 7:08:28 AM HS 62 C:\Documents and Settings\Lewis Vagina\Application Data\desktop.ini ()

Checking Selected Registry Keys

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft.com/windows/ie_intl/en/start/
\\Search Page - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
\\Default_Page_URL - http://www.microsoft.com/windows/ie_intl/en/start/
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
\\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.yahoo.com/
\\Search Bar - http://www.google.com/ie
\\Search Page - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
\\Default_Page_URL - http://www.microsoft.com/windows/ie_intl/en/start/
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
\\Local Page - C:\WINDOWS\system32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://www.google.com/ie


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Norton Internet Security = C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (Symantec Corporation)
\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (Symantec Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\NEXTID - 8199
\\{44226DFF-747E-4edc-B30C-78752E50CD0C} - 8193 =
\\{85d1f590-48f4-11d9-9669-0800200c9a66} - 8195 =
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8196 =
\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8197 =
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8198 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{E0D79300-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WinZip\wzshlext.dll ()
\\{E0D79301-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WinZip\wzshlext.dll ()
\\{E0D79302-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WinZip\wzshlext.dll ()
\\{36A21736-36C2-4C11-8ACB-D4136F2B57BD} - AutoCAD Digital Signatures Icon Overlay Handler = C:\WINDOWS\System32\AcSignIcon.dll (Autodesk)
\\{AC1DB655-4F9A-4c39-8AD2-A65324A4C446} - Autodesk Drawing Preview = C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll (Autodesk)
\\{6DEA92E9-8682-4b6a-97DE-354772FE5727} - Autodesk DWF Preview = C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll (Autodesk)
\\{A68865DD-EE3C-4442-9BE9-1BAB2576E3FA} - NOMAD Explorer = C:\Program Files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTJBNS.DLL (Creative Technology Ltd)
\\{5E44E225-A408-11CF-B581-008029601108} - Roxio DragToDisc Shell Extension = C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll (Roxio)
\\{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC} - My Media = C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll (Roxio, Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\Symantec.Norton.Antivirus.IEContextMenu - {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
\WinZip - {E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\WinZip - {E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\Library - {54F51408-DD44-4a12-82EF-519AD2A80DE9} = C:\Program Files\ATI Multimedia\mlibrary\MLShell.dll ()
\Symantec.Norton.Antivirus.IEContextMenu - {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
\WinZip - {E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll ()

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
QuickTime Task - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
QuickTime Task - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\Lewis Vagina\Start Menu\Programs\Startup\desktop.ini ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\SV1 -

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\AtiExtEvent - Ati2evxx.dll = ()
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\WgaLogon - WgaLogon.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{263CD671-7309-4273-A88B-3C13CCCC3604} - 85.255.116.103,85.255.112.214 ()
{86267162-281B-4E6D-9F04-03E9E9836ED4} - (VIA Rhine II Fast Ethernet Adapter)

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


Scan Complete

#8 deathrunner

deathrunner
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 19 September 2006 - 10:38 AM

Whatever virus I hav enow isnot allowing me to access my personal pages on yahoo or ebay. wierd!

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:59 PM

Posted 19 September 2006 - 02:46 PM

* Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode.. other rootkitrevealers don't.

#10 deathrunner

deathrunner
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 20 September 2006 - 10:20 AM

It's been running for about 9 hours now. Is that normal? It is still scanning the registry, and it is making progress. SHould I stop and run it in safe mode, or is this normal?

Thanks

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:59 PM

Posted 20 September 2006 - 02:12 PM

Do this instead:

Please download FixWareout from one of these sites:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

#12 deathrunner

deathrunner
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 21 September 2006 - 10:38 AM

Well, I let it run for a day and a half in safe mode and I got the log finally. I woudl have checked your last post, but I can't get online in safe mode. I will do as you instructed in the last post. But, in the meantime here is the log from gmer:


GMER 1.0.11.11349 - http://www.gmer.net
Rootkit 2006-09-21 08:25:14
Windows 5.1.2600 Service Pack 2


---- Registry - GMER 1.0.11 ----

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{34A6C0CF-4945-4916-B999-0111B0DCBFF8}
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins@}27F5E879B8BB-C14B-A0A4-2B6F-E1151698{ 0xEF 0x4E 0x00 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins@rzumd 0xDD 0x19 0x00 0x00 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@dmuzr.exe C:\WINDOWS\system32\dmuzr.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@dmuzr.exe C:\WINDOWS\system32\dmuzr.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@dmuzr.exe C:\WINDOWS\system32\dmuzr.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion@xorsc 0xCF 0xC0 0xA6 0x34 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@system csrox.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@system csrox.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@system csrox.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@system csrox.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@system csrox.exe
Reg \Registry\USER\S-1-5-21-861567501-261903793-682003330-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache@C:\WINDOWS\system32\dmjvd.exe dmjvd
Reg \Registry\USER\S-1-5-21-861567501-261903793-682003330-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache@C:\Documents and Settings\Lewis Vagina\Local Settings\Temporary Internet Files\Content.IE5\O52ZO1MN\NDP1.0sp3-KB886906-X86-Enu[1].exe NDP1.0sp3-KB886906-X86-Enu[1]
Reg \Registry\USER\S-1-5-21-861567501-261903793-682003330-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache@@netcfgx.dll,-50015 Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services.
Reg \Registry\USER\S-1-5-21-861567501-261903793-682003330-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache@@netcfgx.dll,-50001 Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks.

---- Files - GMER 1.0.11 ----

ADS ...
File C:\WINDOWS\system32\csrox.exe
File C:\WINDOWS\system32\dmuzr.exe
ADS ...

---- EOF - GMER 1.0.11 ----

#13 deathrunner

deathrunner
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 21 September 2006 - 10:50 AM

Allright here is the log from fixwareout:


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}27F5E879B8BB-C14B-A0A4-2B6F-E1151698{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\jckmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1trap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\2trap
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmkcj.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Searching by size/names...


Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSZFC.EXE 51,761 2006-09-13
C:\WINDOWS\SYSTEM32\DMKCJ.EXE 61,983 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

Misc files.

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:59 PM

Posted 22 September 2006 - 10:47 AM

Ok lets see a new hijackthis log.

#15 deathrunner

deathrunner
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 22 September 2006 - 11:05 AM

I still cannot access sites such as yahoo mail, my ebay home page, or my bank page.

Here's the new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:02:26 AM, on 9/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R3 - Default URLSearchHook is missing
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139033881687
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{263CD671-7309-4273-A88B-3C13CCCC3604}: NameServer = 85.255.116.103,85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBC0F3F7-3A58-4F18-80D7-6438786539D7}: NameServer = 85.255.116.103,85.255.112.214
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.103 85.255.112.214
O17 - HKLM\System\CS1\Services\Tcpip\..\{263CD671-7309-4273-A88B-3C13CCCC3604}: NameServer = 85.255.116.103,85.255.112.214
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.103 85.255.112.214
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users