|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
01-29-2005, 08:02 PM
|
#1 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 10
OS: XP Pro
|
IE6 Crashing - MS Visual C++ Runtime Error
Hi guys
was wondering if someone could assist with this plz? When I use IE I am getting errors that cause it to freeze or crash. It happens sometimes when I open IE or maybe if Im browsing a site and click a link on a page, it causes page to freeze completely. The error messages say the following Microsoft Visual C++ Runtime Error error is in C:\Program Files\Internet Explorer\iexplore.exe abnormal program termination When I click OK it causes it to close however many browser windows are open. If I ctrl alt delete b4 that tho and goto processes, sometimes there can be multiple instances of iexplore.exe running tho there may only be 1 browser window open. Clicking end process can sometimes remove the freezing, sometimes it just closes the window. Occasionally there can be totally unknown processes running, the names ofg them being totally random like lfudfeqff.exe or 59684595.exe. These are related to the error as this is the only time they are there and if they are present there is always more than one. Occasionally there is this too, lykbaggae.exe, which if I clcik end process, seems to solve the problem momentarily. I have ran AdAware, Spyware Blaster, Spyware Doctor, Spybot and CW Shredder. Also Norton AV. Im using IE6 on Win XP. Any help is greatly appreciated as this is ruining browsing completely. Below is HJ log file, many thanks in advance for any assistance. Paul used the HijackThis Analyzer program to get the "new" log. =========================================================================================================================== Log was analyzed using HijackThis Analyzer - Updated on 1/7/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\interMute\SpySubtract\SpySub.exe O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 03:55:53, on 30/01/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\Program Files\Gearbox Connection Kit\bin\gbConMon.exe C:\Program Files\Gearbox Connection Kit\bin\gbTask.exe C:\Program Files\Tweak-XP Pro\tranicon.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\Program Files\Spyware Doctor\spydoctor.exe C:\Program Files\Gearbox Connection Kit\bin\gbdash.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://66.197.142.134/forums/forumdi...?s=&forumid=19 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.zpecialoffer.com/indexie.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = PaulG Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local> R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\yfldymxn.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {08C30086-0020-F97F-90AC-89B571174F80} - C:\WINDOWS\System32\zjndoagq.dll O2 - BHO: (no name) - {15DCCDF4-E2C8-ADFE-0184-E3AFD81C250A} - C:\WINDOWS\System32\ktaumyxj.dll O2 - BHO: (no name) - {19A25736-85D9-C0A4-1977-A19FF8CC7514} - C:\WINDOWS\System32\zpngnhub.dll O2 - BHO: (no name) - {20504D85-00F0-F97F-906C-3BB571174F80} - (no file) O2 - BHO: (no name) - {20B04B85-0080-FA7F-90DC-4FB671174F80} - C:\WINDOWS\System32\qqhjjuay.dll O2 - BHO: (no name) - {2489636B-B324-8946-D2FF-786BA867D03F} - C:\WINDOWS\System32\ltjqrfpg.dll O2 - BHO: (no name) - {287B1385-00C0-F97F-902C-AEB571174F80} - C:\WINDOWS\System32\ijufottt.dll O2 - BHO: (no name) - {48A70A85-0030-FA7F-90AC-E7B471174F80} - C:\WINDOWS\System32\nzoswycj.dll (file missing) O2 - BHO: (no name) - {55E791BA-AC9B-92F9-E2FF-C3EF5B0FFF88} - C:\WINDOWS\System32\qfcbablw.dll O2 - BHO: (no name) - {5A33ADEC-283D-DD07-2596-5990CAAEFC42} - C:\WINDOWS\System32\jbctdlag.dll O2 - BHO: (no name) - {65ACBEFE-0BAE-A33A-147A-C31FA1764D3D} - C:\WINDOWS\System32\slvkaujn.dll O2 - BHO: (no name) - {684B2586-0050-FA7F-909C-50B671174F80} - C:\WINDOWS\System32\wnqrvncs.dll O2 - BHO: (no name) - {701A2486-0080-FD7F-90EC-20B571174F80} - C:\WINDOWS\System32\tkwyyvlc.dll O2 - BHO: (no name) - {78633E86-00A0-F97F-902C-1FB671174F80} - C:\WINDOWS\System32\ckmcseua.dll O2 - BHO: (no name) - {89CB2915-C77C-10B5-147F-83CE2F2A7AD3} - C:\WINDOWS\System32\frkdhdpq.dll O2 - BHO: (no name) - {954A1CF8-3B2A-3B36-16A4-CEF0850409A7} - C:\WINDOWS\System32\aqsgfjwx.dll O2 - BHO: (no name) - {B0299417-3F72-E47A-7D4F-1C43E050621A} - C:\WINDOWS\System32\dmgopixt.dll O2 - BHO: (no name) - {B0C34A85-00F0-F87F-909C-31F771174F80} - C:\WINDOWS\System32\zihifcvd.dll O2 - BHO: (no name) - {C628EAD9-D383-0D91-2451-934216FD498F} - C:\WINDOWS\System32\xwjbedpi.dll O2 - BHO: (no name) - {C8B34405-014D-FE5C-FA80-F5434CA628EC} - C:\WINDOWS\System32\wvkmojsf.dll O2 - BHO: (no name) - {CF995F1A-9F13-F30A-ACA8-1D86AEB00B2E} - C:\WINDOWS\System32\xmjbqtvj.dll O2 - BHO: (no name) - {D38CC83E-0323-2D71-E0EA-D02332E9F569} - C:\WINDOWS\System32\kxqvlzjs.dll (file missing) O2 - BHO: (no name) - {D8E71A86-0040-F87F-90CC-E9F671174F80} - C:\WINDOWS\System32\accognzf.dll O2 - BHO: (no name) - {FA4ADB46-829A-FC5F-AF57-DBCA8FB70CDD} - C:\WINDOWS\System32\xyctemgh.dll O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe" O4 - HKLM\..\Run: [RedLine Taskbar] C:\Program Files\RedLine\Taskbar.exe O4 - HKLM\..\Run: [SSC Service Utility] C:\Program Files\SSC Service Utility\ssc_serv.exe /s O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84" O4 - HKLM\..\Run: [ivdnpa] C:\WINDOWS\System32\hmijln.exe O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer O4 - HKLM\..\Run: [Tiny Firewall] C:\WINDOWS\System32\msvcrtid.exe O4 - HKLM\..\Run: [lykbggae] C:\WINDOWS\System32\lykbggae.exe O4 - HKLM\..\Run: [yogdluad] C:\WINDOWS\System32\yogdluad.exe O4 - HKLM\..\Run: [mfguwlvo] C:\WINDOWS\System32\mfguwlvo.exe O4 - HKLM\..\Run: [ahsowzlz] C:\WINDOWS\System32\ahsowzlz.exe O4 - HKLM\..\Run: [mqxqkecn] C:\WINDOWS\System32\mqxqkecn.exe O4 - HKLM\..\Run: [c93020d1b314] C:\WINDOWS\System32\aaaamon0.exe O4 - HKLM\..\Run: [nozyqwtz] C:\WINDOWS\System32\nozyqwtz.exe O4 - HKLM\..\Run: [filnvded] C:\WINDOWS\System32\filnvded.exe O4 - HKLM\..\Run: [ycajmilp] C:\WINDOWS\System32\ycajmilp.exe O4 - HKLM\..\Run: [ctqgwxpv] C:\WINDOWS\System32\ctqgwxpv.exe O4 - HKLM\..\Run: [pmqlixuq] C:\WINDOWS\System32\pmqlixuq.exe O4 - HKLM\..\Run: [ocisqjpp] C:\WINDOWS\System32\ocisqjpp.exe O4 - HKLM\..\Run: [vajyimvm] C:\WINDOWS\System32\vajyimvm.exe O4 - HKLM\..\Run: [qdbyfgbt] C:\WINDOWS\System32\qdbyfgbt.exe O4 - HKLM\..\Run: [nturarbx] C:\WINDOWS\System32\nturarbx.exe O4 - HKLM\..\Run: [ggavtkhr] C:\WINDOWS\System32\ggavtkhr.exe O4 - HKLM\..\Run: [dyujjenk] C:\WINDOWS\System32\dyujjenk.exe O4 - HKLM\..\Run: [mtkonnwh] C:\WINDOWS\System32\mtkonnwh.exe O4 - HKLM\..\Run: [skhqaekj] C:\WINDOWS\System32\skhqaekj.exe O4 - HKLM\..\Run: [nczykmbz] C:\WINDOWS\System32\nczykmbz.exe O4 - HKLM\..\Run: [gwvdxwai] C:\WINDOWS\System32\gwvdxwai.exe O4 - HKLM\..\Run: [pdtzejgb] C:\WINDOWS\System32\pdtzejgb.exe O4 - HKLM\..\Run: [kurvvmgg] C:\WINDOWS\System32\kurvvmgg.exe O4 - HKLM\..\Run: [fuqnitnk] C:\WINDOWS\System32\fuqnitnk.exe O4 - HKLM\..\Run: [poeuequy] C:\WINDOWS\System32\poeuequy.exe O4 - HKLM\..\Run: [mivngtri] C:\WINDOWS\System32\mivngtri.exe O4 - HKLM\..\Run: [dnxjwhoh] C:\WINDOWS\System32\dnxjwhoh.exe O4 - HKLM\..\Run: [kagavzns] C:\WINDOWS\System32\kagavzns.exe O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe O4 - HKCU\..\Run: [TransparentIcons] "C:\Program Files\Tweak-XP Pro\tranicon.exe" -ex O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe" O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe" O4 - HKCU\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU" O4 - HKCU\..\Run: [ixplore] "C:\Program Files\Internet Explorer\ixplore.exe" O4 - HKCU\..\Run: [Hsrd] C:\Documents and Settings\Paul-G\Application Data\u???t?.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - http://www.thepaymentcentre.com/build/vbiewer.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.79/100039/uk/ringtone/ringtone.exe O16 - DPF: {3A3137D7-4439-0FDC-8B9C-62D16330FBAE} - http://63.219.178.91/1/gdnGB1463.exe O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemp...veSecurity.cab O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/...sb_regular.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/dlhel...7/dlhelper.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://crazyvegas.microgaming.com/c...as/FlashAX.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games/...ol/h2hpool.cab O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} - http://ads.dealhelper.com/updates/DealHelperNew.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9B4B8E58-6C1E-4793-883A-9186F18C16CE}: NameServer = 194.168.4.100 194.168.8.100 O23 - Service: EpsonBidirectionalService - Unknown - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe O23 - Service: cznexczpcmxf - Unknown - C:\WINDOWS\System32\msupd5.exe End of HijackThis Analyzer Log. =========================================================================================================================== I can see in that log the likes of the exe files I was saying with random names such as these O4 - HKLM\..\Run: [gwvdxwai] C:\WINDOWS\System32\gwvdxwai.exe O4 - HKLM\..\Run: [pdtzejgb] C:\WINDOWS\System32\pdtzejgb.exe O4 - HKLM\..\Run: [kurvvmgg] C:\WINDOWS\System32\kurvvmgg.exe However there can sometimes be the same but all numbers in it. I can also see I have a hell of a lot of crap on there lol. Any assistance greatly appreciated in the removal of these and getting back in shape. Thx |
|
     
|
|
01-29-2005, 08:05 PM
|
#2 (permalink) |
|
Analyst, Security Team
|
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.
Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://66.197.142.134/forums/forumd...p?s=&forumid=19 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.zpecialoffer.com/indexie.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zpecialoffer.com/results.asp?keyword=%s R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\yfldymxn.dll O2 - BHO: (no name) - {08C30086-0020-F97F-90AC-89B571174F80} - C:\WINDOWS\System32\zjndoagq.dll O2 - BHO: (no name) - {15DCCDF4-E2C8-ADFE-0184-E3AFD81C250A} - C:\WINDOWS\System32\ktaumyxj.dll O2 - BHO: (no name) - {19A25736-85D9-C0A4-1977-A19FF8CC7514} - C:\WINDOWS\System32\zpngnhub.dll O2 - BHO: (no name) - {20504D85-00F0-F97F-906C-3BB571174F80} - (no file) O2 - BHO: (no name) - {20B04B85-0080-FA7F-90DC-4FB671174F80} - C:\WINDOWS\System32\qqhjjuay.dll O2 - BHO: (no name) - {2489636B-B324-8946-D2FF-786BA867D03F} - C:\WINDOWS\System32\ltjqrfpg.dll O2 - BHO: (no name) - {287B1385-00C0-F97F-902C-AEB571174F80} - C:\WINDOWS\System32\ijufottt.dll O2 - BHO: (no name) - {48A70A85-0030-FA7F-90AC-E7B471174F80} - C:\WINDOWS\System32\nzoswycj.dll (file missing) O2 - BHO: (no name) - {55E791BA-AC9B-92F9-E2FF-C3EF5B0FFF88} - C:\WINDOWS\System32\qfcbablw.dll O2 - BHO: (no name) - {5A33ADEC-283D-DD07-2596-5990CAAEFC42} - C:\WINDOWS\System32\jbctdlag.dll O2 - BHO: (no name) - {65ACBEFE-0BAE-A33A-147A-C31FA1764D3D} - C:\WINDOWS\System32\slvkaujn.dll O2 - BHO: (no name) - {684B2586-0050-FA7F-909C-50B671174F80} - C:\WINDOWS\System32\wnqrvncs.dll O2 - BHO: (no name) - {701A2486-0080-FD7F-90EC-20B571174F80} - C:\WINDOWS\System32\tkwyyvlc.dll O2 - BHO: (no name) - {78633E86-00A0-F97F-902C-1FB671174F80} - C:\WINDOWS\System32\ckmcseua.dll O2 - BHO: (no name) - {89CB2915-C77C-10B5-147F-83CE2F2A7AD3} - C:\WINDOWS\System32\frkdhdpq.dll O2 - BHO: (no name) - {954A1CF8-3B2A-3B36-16A4-CEF0850409A7} - C:\WINDOWS\System32\aqsgfjwx.dll O2 - BHO: (no name) - {B0299417-3F72-E47A-7D4F-1C43E050621A} - C:\WINDOWS\System32\dmgopixt.dll O2 - BHO: (no name) - {B0C34A85-00F0-F87F-909C-31F771174F80} - C:\WINDOWS\System32\zihifcvd.dll O2 - BHO: (no name) - {C628EAD9-D383-0D91-2451-934216FD498F} - C:\WINDOWS\System32\xwjbedpi.dll O2 - BHO: (no name) - {C8B34405-014D-FE5C-FA80-F5434CA628EC} - C:\WINDOWS\System32\wvkmojsf.dll O2 - BHO: (no name) - {CF995F1A-9F13-F30A-ACA8-1D86AEB00B2E} - C:\WINDOWS\System32\xmjbqtvj.dll O2 - BHO: (no name) - {D38CC83E-0323-2D71-E0EA-D02332E9F569} - C:\WINDOWS\System32\kxqvlzjs.dll (file missing) O2 - BHO: (no name) - {D8E71A86-0040-F87F-90CC-E9F671174F80} - C:\WINDOWS\System32\accognzf.dll O2 - BHO: (no name) - {FA4ADB46-829A-FC5F-AF57-DBCA8FB70CDD} - C:\WINDOWS\System32\xyctemgh.dll O4 - HKLM\..\Run: [ivdnpa] C:\WINDOWS\System32\hmijln.exe O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer O4 - HKLM\..\Run: [Tiny Firewall] C:\WINDOWS\System32\msvcrtid.exe O4 - HKLM\..\Run: [lykbggae] C:\WINDOWS\System32\lykbggae.exe O4 - HKLM\..\Run: [yogdluad] C:\WINDOWS\System32\yogdluad.exe O4 - HKLM\..\Run: [mfguwlvo] C:\WINDOWS\System32\mfguwlvo.exe O4 - HKLM\..\Run: [ahsowzlz] C:\WINDOWS\System32\ahsowzlz.exe O4 - HKLM\..\Run: [mqxqkecn] C:\WINDOWS\System32\mqxqkecn.exe O4 - HKLM\..\Run: [c93020d1b314] C:\WINDOWS\System32\aaaamon0.exe O4 - HKLM\..\Run: [nozyqwtz] C:\WINDOWS\System32\nozyqwtz.exe O4 - HKLM\..\Run: [filnvded] C:\WINDOWS\System32\filnvded.exe O4 - HKLM\..\Run: [ycajmilp] C:\WINDOWS\System32\ycajmilp.exe O4 - HKLM\..\Run: [ctqgwxpv] C:\WINDOWS\System32\ctqgwxpv.exe O4 - HKLM\..\Run: [pmqlixuq] C:\WINDOWS\System32\pmqlixuq.exe O4 - HKLM\..\Run: [ocisqjpp] C:\WINDOWS\System32\ocisqjpp.exe O4 - HKLM\..\Run: [vajyimvm] C:\WINDOWS\System32\vajyimvm.exe O4 - HKLM\..\Run: [qdbyfgbt] C:\WINDOWS\System32\qdbyfgbt.exe O4 - HKLM\..\Run: [nturarbx] C:\WINDOWS\System32\nturarbx.exe O4 - HKLM\..\Run: [ggavtkhr] C:\WINDOWS\System32\ggavtkhr.exe O4 - HKLM\..\Run: [dyujjenk] C:\WINDOWS\System32\dyujjenk.exe O4 - HKLM\..\Run: [mtkonnwh] C:\WINDOWS\System32\mtkonnwh.exe O4 - HKLM\..\Run: [skhqaekj] C:\WINDOWS\System32\skhqaekj.exe O4 - HKLM\..\Run: [nczykmbz] C:\WINDOWS\System32\nczykmbz.exe O4 - HKLM\..\Run: [gwvdxwai] C:\WINDOWS\System32\gwvdxwai.exe O4 - HKLM\..\Run: [pdtzejgb] C:\WINDOWS\System32\pdtzejgb.exe O4 - HKLM\..\Run: [kurvvmgg] C:\WINDOWS\System32\kurvvmgg.exe O4 - HKLM\..\Run: [fuqnitnk] C:\WINDOWS\System32\fuqnitnk.exe O4 - HKLM\..\Run: [poeuequy] C:\WINDOWS\System32\poeuequy.exe O4 - HKLM\..\Run: [mivngtri] C:\WINDOWS\System32\mivngtri.exe O4 - HKLM\..\Run: [dnxjwhoh] C:\WINDOWS\System32\dnxjwhoh.exe O4 - HKLM\..\Run: [kagavzns] C:\WINDOWS\System32\kagavzns.exe O4 - HKCU\..\Run: [ixplore] "C:\Program Files\Internet Explorer\ixplore.exe" O4 - HKCU\..\Run: [Hsrd] C:\Documents and Settings\Paul-G\Application Data\u???t?.exe O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.79/100039/uk/ringtone/ringtone.exe O16 - DPF: {3A3137D7-4439-0FDC-8B9C-62D16330FBAE} - http://63.219.178.91/1/gdnGB1463.exe O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://crazyvegas.microgaming.com/...gas/FlashAX.cab O16 - DPF: {FE4BBEA8-1EFD-4B8A-BD1B-341CCDBEEAA6} - http://ads.dealhelper.com/updates/DealHelperNew.cab O23 - Service: cznexczpcmxf - Unknown - C:\WINDOWS\System32\msupd5.exe Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: wnim.dll C:\Documents and Settings\Paul-G\Application Data\u???t?.exe C:\WINDOWS\System32\msupd5.exe Also delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED. Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools/programs provided.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
01-29-2005, 08:20 PM
|
#3 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 10
OS: XP Pro
|
WOW!!
 That was a fast reply!!Many thanks my friend I shall give it a go now.  Oops, have just realised that before running Hijack This I forgot to show hidden files and folders. Sorry. Will I need to do so and run it again or should the previous be enough m8?? |
|
|
|
|
01-29-2005, 08:22 PM
|
#4 (permalink) |
|
Analyst, Security Team
|
Nope, that's ok. You should do it now just so that if any files are hidden, you can find it and delete it. So continue with the fix.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
01-29-2005, 09:15 PM
|
#5 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 10
OS: XP Pro
|
hey m8, have done above but am unclear on one little bit. Where u say the following:
Also delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED. Im not too sure how to do this. I clicked all these in Hijack this and then Fix Checked. I then went to search and deleted these files wnim.dll C:\Documents and Settings\Paul-G\Application Data\u???t?.exe (couldnt find this one, this happened last time I did a HJ fix too so shouldnt be a prob) C:\WINDOWS\System32\msupd5.exe But its just when u say delete the exe and dll files in red, im not sure what u mean. I went to C:\WINDOWS\System32 but cant see those files there?? Is there something else I need to do?? Am just ready to run HJ again to get new log but am unsure if I need to delete these files from somewhere first??? ok here is the new log anyway, but dunno if i will have to delete the above mentioned files first =========================================================================================================================== Log was analyzed using HijackThis Analyzer - Updated on 1/7/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\interMute\SpySubtract\SpySub.exe O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 05:12:20, on 30/01/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\Program Files\RedLine\Taskbar.exe C:\Program Files\Tweak-XP Pro\tranicon.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\Program Files\Gearbox Connection Kit\bin\gbConMon.exe C:\Program Files\Gearbox Connection Kit\bin\gbTask.exe C:\Program Files\Gearbox Connection Kit\bin\gbdash.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://66.197.142.134/forums/forumdi...?s=&forumid=19 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = PaulG Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local> O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {08C30086-0020-F97F-90AC-89B571174F80} - (no file) O2 - BHO: (no name) - {15DCCDF4-E2C8-ADFE-0184-E3AFD81C250A} - (no file) O2 - BHO: (no name) - {19A25736-85D9-C0A4-1977-A19FF8CC7514} - (no file) O2 - BHO: (no name) - {20504D85-00F0-F97F-906C-3BB571174F80} - (no file) O2 - BHO: (no name) - {20B04B85-0080-FA7F-90DC-4FB671174F80} - (no file) O2 - BHO: (no name) - {2489636B-B324-8946-D2FF-786BA867D03F} - (no file) O2 - BHO: (no name) - {287B1385-00C0-F97F-902C-AEB571174F80} - (no file) O2 - BHO: (no name) - {48A70A85-0030-FA7F-90AC-E7B471174F80} - (no file) O2 - BHO: (no name) - {55E791BA-AC9B-92F9-E2FF-C3EF5B0FFF88} - (no file) O2 - BHO: (no name) - {5A33ADEC-283D-DD07-2596-5990CAAEFC42} - (no file) O2 - BHO: (no name) - {65ACBEFE-0BAE-A33A-147A-C31FA1764D3D} - (no file) O2 - BHO: (no name) - {684B2586-0050-FA7F-909C-50B671174F80} - (no file) O2 - BHO: (no name) - {701A2486-0080-FD7F-90EC-20B571174F80} - (no file) O2 - BHO: (no name) - {78633E86-00A0-F97F-902C-1FB671174F80} - (no file) O2 - BHO: (no name) - {89CB2915-C77C-10B5-147F-83CE2F2A7AD3} - (no file) O2 - BHO: (no name) - {954A1CF8-3B2A-3B36-16A4-CEF0850409A7} - (no file) O2 - BHO: (no name) - {B0299417-3F72-E47A-7D4F-1C43E050621A} - (no file) O2 - BHO: (no name) - {B0C34A85-00F0-F87F-909C-31F771174F80} - (no file) O2 - BHO: (no name) - {C628EAD9-D383-0D91-2451-934216FD498F} - (no file) O2 - BHO: (no name) - {C8B34405-014D-FE5C-FA80-F5434CA628EC} - (no file) O2 - BHO: (no name) - {CF995F1A-9F13-F30A-ACA8-1D86AEB00B2E} - (no file) O2 - BHO: (no name) - {D38CC83E-0323-2D71-E0EA-D02332E9F569} - (no file) O2 - BHO: (no name) - {D8E71A86-0040-F87F-90CC-E9F671174F80} - (no file) O2 - BHO: (no name) - {FA4ADB46-829A-FC5F-AF57-DBCA8FB70CDD} - (no file) O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe" O4 - HKLM\..\Run: [RedLine Taskbar] C:\Program Files\RedLine\Taskbar.exe O4 - HKLM\..\Run: [SSC Service Utility] C:\Program Files\SSC Service Utility\ssc_serv.exe /s O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84" O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe O4 - HKCU\..\Run: [TransparentIcons] "C:\Program Files\Tweak-XP Pro\tranicon.exe" -ex O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe" O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe" O4 - HKCU\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU" O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - http://www.thepaymentcentre.com/build/vbiewer.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/...sb_regular.cab O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/dlhel...7/dlhelper.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9B4B8E58-6C1E-4793-883A-9186F18C16CE}: NameServer = 194.168.4.100 194.168.8.100 O23 - Service: EpsonBidirectionalService - Unknown - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe End of HijackThis Analyzer Log. =========================================================================================================================== |
|
|
|
|
01-29-2005, 09:18 PM
|
#6 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
You are doing just fine. Now that you have deleted most all of the files, let's try another round of HJT.
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file) O2 - BHO: (no name) - {08C30086-0020-F97F-90AC-89B571174F80} - (no file) O2 - BHO: (no name) - {15DCCDF4-E2C8-ADFE-0184-E3AFD81C250A} - (no file) O2 - BHO: (no name) - {19A25736-85D9-C0A4-1977-A19FF8CC7514} - (no file) O2 - BHO: (no name) - {20504D85-00F0-F97F-906C-3BB571174F80} - (no file) O2 - BHO: (no name) - {20B04B85-0080-FA7F-90DC-4FB671174F80} - (no file) O2 - BHO: (no name) - {2489636B-B324-8946-D2FF-786BA867D03F} - (no file) O2 - BHO: (no name) - {287B1385-00C0-F97F-902C-AEB571174F80} - (no file) O2 - BHO: (no name) - {48A70A85-0030-FA7F-90AC-E7B471174F80} - (no file) O2 - BHO: (no name) - {55E791BA-AC9B-92F9-E2FF-C3EF5B0FFF88} - (no file) O2 - BHO: (no name) - {5A33ADEC-283D-DD07-2596-5990CAAEFC42} - (no file) O2 - BHO: (no name) - {65ACBEFE-0BAE-A33A-147A-C31FA1764D3D} - (no file) O2 - BHO: (no name) - {684B2586-0050-FA7F-909C-50B671174F80} - (no file) O2 - BHO: (no name) - {701A2486-0080-FD7F-90EC-20B571174F80} - (no file) O2 - BHO: (no name) - {78633E86-00A0-F97F-902C-1FB671174F80} - (no file) O2 - BHO: (no name) - {89CB2915-C77C-10B5-147F-83CE2F2A7AD3} - (no file) O2 - BHO: (no name) - {954A1CF8-3B2A-3B36-16A4-CEF0850409A7} - (no file) O2 - BHO: (no name) - {B0299417-3F72-E47A-7D4F-1C43E050621A} - (no file) O2 - BHO: (no name) - {B0C34A85-00F0-F87F-909C-31F771174F80} - (no file) O2 - BHO: (no name) - {C628EAD9-D383-0D91-2451-934216FD498F} - (no file) O2 - BHO: (no name) - {C8B34405-014D-FE5C-FA80-F5434CA628EC} - (no file) O2 - BHO: (no name) - {CF995F1A-9F13-F30A-ACA8-1D86AEB00B2E} - (no file) O2 - BHO: (no name) - {D38CC83E-0323-2D71-E0EA-D02332E9F569} - (no file) O2 - BHO: (no name) - {D8E71A86-0040-F87F-90CC-E9F671174F80} - (no file) O2 - BHO: (no name) - {FA4ADB46-829A-FC5F-AF57-DBCA8FB70CDD} - (no file) Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.
__________________
 GO BIG BLUE!! |
|
|
|
|
01-29-2005, 09:26 PM
|
#7 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 10
OS: XP Pro
|
hi CTSNKY, u helped me last time m8 :)
Will do what you said. What I have noticed in System32 when I was looking for the files, if u see in my first post where I mentioned about process running that have kind of random names or numbers, it would seem I deleted the ones with letters as they showed up in 1st HT this file, but in System32 there are a lot of what I think are .exe files with random numbers like I said. Like 39734687 or 66308562 etc. Im sure these are the ones that showed up as running processes when I had problems. Would these be what Im looking to delete?? lol, Im probly gettin in way above my head by even thinking about this and should just follow what u say. Should I just ignore these and run the HJ again?? EDIT : I presume I should reboot into safe mode before running HJT and fixing the ones mentioned??? Last edited by Paul_RFC : 01-29-2005 at 09:28 PM. |
|
|
|
|
01-29-2005, 09:39 PM
|
#8 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
Hey Paul,
Well, those do sound like very suspicious file names to me. If you can see a similar correlation to their created date, I would guess they are baddies and remove them. To be a bit safe, send them all to the Recycle Bin first and see if it has an effect on your system. The above fixes can be done either way. Safe or Normal, if they reappear, we'll have to take another approach. You had yourself another nasty infection there, for sure. Post a fresh HJT log when ready.
__________________
GO BIG BLUE!! |
|
|
|
|
01-29-2005, 09:47 PM
|
#9 (permalink) |
|
Registered User
Join Date: Nov 2004
Posts: 10
OS: XP Pro
|
hey m8
here is new log, i rebooted just before u replied and ran HJT and checked and fixed the ones u said, the ones with (no file) but having rebooted and got the new log it appears they are still there??? hmmmmmmmmmmm   =========================================================================================================================== Log was analyzed using HijackThis Analyzer - Updated on 1/7/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\interMute\SpySubtract\SpySub.exe O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 05:44:58, on 30/01/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\Program Files\RedLine\Taskbar.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\Program Files\Tweak-XP Pro\tranicon.exe C:\Program Files\Gearbox Connection Kit\bin\gbConMon.exe C:\Program Files\Gearbox Connection Kit\bin\gbTask.exe C:\Program Files\Gearbox Connection Kit\bin\gbdash.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://66.197.142.134/forums/forumdi...?s=&forumid=19 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = PaulG Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local> O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {08C30086-0020-F97F-90AC-89B571174F80} - (no file) O2 - BHO: (no name) - {15DCCDF4-E2C8-ADFE-0184-E3AFD81C250A} - (no file) O2 - BHO: (no name) - {19A25736-85D9-C0A4-1977-A19FF8CC7514} - (no file) O2 - BHO: (no name) - {20504D85-00F0-F97F-906C-3BB571174F80} - (no file) O2 - BHO: (no name) - {20B04B85-0080-FA7F-90DC-4FB671174F80} - (no file) O2 - BHO: (no name) - {2489636B-B324-8946-D2FF-786BA867D03F} - (no file) O2 - BHO: (no name) - {287B1385-00C0-F97F-902C-AEB571174F80} - (no file) O2 - BHO: (no name) - {48A70A85-0030-FA7F-90AC-E7B471174F80} - (no file) O2 - BHO: (no name) - {55E791BA-AC9B-92F9-E2FF-C3EF5B0FFF88} - (no file) O2 - BHO: (no name) - {5A33ADEC-283D-DD07-2596-5990CAAEFC42} - (no file) O2 - BHO: (no name) - {65ACBEFE-0BAE-A33A-147A-C31FA1764D3D} - (no file) O2 - BHO: (no name) - {684B2586-0050-FA7F-909C-50B671174F80} - (no file) O2 - BHO: (no name) - {701A2486-0080-FD7F-90EC-20B571174F80} - (no file) O2 - BHO: (no name) - {78633E86-00A0-F97F-902C-1FB671174F80} - (no file) O2 - BHO: (no name) - {89CB2915-C77C-10B5-147F-83CE2F2A7AD3} - (no file) O2 - BHO: (no name) - {954A1CF8-3B2A-3B36-16A4-CEF0850409A7} - (no file) O2 - BHO: (no name) - {B0299417-3F72-E47A-7D4F-1C43E050621A} - (no file) O2 - BHO: (no name) - {B0C34A85-00F0-F87F-909C-31F771174F80} - (no file) O2 - BHO: (no name) - {C628EAD9-D383-0D91-2451-934216FD498F} - (no file) O2 - BHO: (no name) - {C8B34405-014D-FE5C-FA80-F5434CA628EC} - (no file) O2 - BHO: (no name) - {CF995F1A-9F13-F30A-ACA8-1D86AEB00B2E} - (no file) O2 - BHO: (no name) - {D38CC83E-0323-2D71-E0EA-D02332E9F569} - (no file) O2 - BHO: (no name) - {D8E71A86-0040-F87F-90CC-E9F671174F80} - (no file) O2 - BHO: (no name) - {FA4ADB46-829A-FC5F-AF57-DBCA8FB70CDD} - (no file) O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe" O4 - HKLM\..\Run: [RedLine Taskbar] C:\Program Files\RedLine\Taskbar.exe O4 - HKLM\..\Run: [SSC Service Utility] C:\Program Files\SSC Service Utility\ssc_serv.exe /s O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84" O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe O4 - HKCU\..\Run: [TransparentIcons] "C:\Program Files\Tweak-XP Pro\tranicon.exe" -ex O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe" O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe" O4 - HKCU\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU" O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - http://www.thepaymentcentre.com/build/vbiewer.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/...sb_regular.cab O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/dlhel...7/dlhelper.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9B4B8E58-6C1E-4793-883A-9186F18C16CE}: NameServer = 194.168.4.100 194.168.8.100 O23 - Service: EpsonBidirectionalService - Unknown - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe End of HijackThis Analyzer Log. =========================================================================================================================== |
|
|
|
|
01-29-2005, 09:51 PM
|
#10 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
Always a problem child, aren't you?
 ========== Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Running Process -> List Modules System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. Gimme that one first, then run this scan below. Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.
__________________
GO BIG BLUE!! |
