|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
02-25-2005, 01:51 PM
|
#1 (permalink) |
|
Member
Join Date: Jan 2005
Posts: 33
OS: Windows ME
|
Hijackthis log help
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 3:53:43 PM, on 2/25/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\NHCGINAXU.EXE C:\WINDOWS\SYSTEM\XL.EXE C:\PROGRAM FILES\WINZIP\WINZIP32.EXE C:\WINDOWS\TEMP\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O2 - BHO: (no name) - {8DBEA6A2-3602-4CCE-A01C-D9597920091B} - C:\PROGRAM FILES\BZK9KUO9\BZK9KUO9.dll O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.dll O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/30c68719b8f7e3d...p/RdxIE601.cab O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dotphoto.com/XUpload.ocx O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab? O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://sify.com/eot/tdserver.cab End of KRC HijackThis Analyzer Log. ==================================================================== Last edited by compgeek; 02-25-2005 at 02:00 PM. |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
02-25-2005, 02:17 PM
|
#2 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,443
OS: 2000 Pro; XP Pro; XP Home
|
Hi and welcome to TSF.
I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time. |
|
|
|
|
02-25-2005, 04:51 PM
|
#3 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,443
OS: 2000 Pro; XP Pro; XP Home
|
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.
Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. You will use this later. Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds. Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation. Go to My Computer->View->Folder Options->View tab and make sure that 'Show all files' is checked under the 'Hidden Files' section. Also make sure there is no checkmark beside 'Hide file extensions for known file types'. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Go to Start->Settings->Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check Disable System Restore. Click OK. Click Yes when you are prompted to restart Windows. When we have confirmed that your log file is clean, you may enable System Restore again by following the same steps as above except you should uncheck Disable System Restore. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\SYSTEM\NHCGINAXU.EXE Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: EliteToolBar EliteSideBar Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O2 - BHO: (no name) - {8DBEA6A2-3602-4CCE-A01C-D9597920091B} - C:\PROGRAM FILES\BZK9KUO9\BZK9KUO9.dll O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/30c68719b8f7e3...ip/RdxIE601.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...ransporter.cab? >>>if you intend to keep Weatherbug, ignore this entry O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\SYSTEM\NHCGINAXU.EXE C:\PROGRAM FILES\BZK9KUO9 c:\counter.cab Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. |
|
|
|
|
02-25-2005, 07:43 PM
|
#4 (permalink) |
|
Member
Join Date: Jan 2005
Posts: 33
OS: Windows ME
|
StartupList report, 2/25/2005, 9:45:43 PM
StartupList version: 1.52.2 Started from : C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE Detected: Windows ME (Win9x 4.90.3000) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options ================================================== Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\DIGSTREAM\DIGSTREAM.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\WINDOWS\SYSTEM\XL.EXE C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ScanRegistry = C:\WINDOWS\scanregw.exe /autorun TaskMonitor = C:\WINDOWS\taskmon.exe PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s SystemTray = SysTray.Exe LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme UpdReg = C:\WINDOWS\Updreg.exe NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize nwiz = nwiz.exe /install DIGStream = C:\Program Files\DIGStream\digstream.exe ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" devldr16.exe = C:\WINDOWS\SYSTEM\devldr16.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme SchedulingAgent = mstask.exe *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg -------------------------------------------------- File association entry for .TXT: HKEY_CLASSES_ROOT\txtfile\shell\open\command (Default) = C:\WINDOWS\NOTEPAD.EXE %1 -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=Explorer.exe SCRNSAVE.EXE= drivers=mmsystem.dll power.drv -------------------------------------------------- C:\WINDOWS\WININIT.BAK listing: (Created 25/2/2005, 15:34:8) [Rename] NUL=c:\_RESTORE\TEMP\A0169280.CPY NUL=c:\_RESTORE\TEMP\A0169279.CPY -------------------------------------------------- C:\AUTOEXEC.BAT listing: SET windir=C:\WINDOWS SET winbootdir=C:\WINDOWS SET COMSPEC=C:\WINDOWS\COMMAND.COM SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND SET PROMPT=$p$g SET TEMP=C:\WINDOWS\TEMP SET TMP=C:\WINDOWS\TEMP -------------------------------------------------- C:\WINDOWS\WINSTART.BAT listing: C:\WINDOWS\tmpcpyis.bat -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7} -------------------------------------------------- Enumerating Task Scheduler jobs: Tune-up Application Start.job PCHealth Scheduler for Data Collection.job Maintenance-Defragment programs.job Maintenance-ScanDisk.job Symantec NetDetect.job Maintenance-Disk cleanup.job Norton AntiVirus - Scan my computer.job -------------------------------------------------- Enumerating Download Program Files: [Update Class] InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL CODEBASE = http://v4.windowsupdate.microsoft.co...886.6186921296 [ActiveDataObj Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVEDATA.DLL CODEBASE = https://www-secure.symantec.com/tech...ActiveData.cab [ActiveDataInfo Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SYMADATA.DLL CODEBASE = https://www-secure.symantec.com/tech...a/SymAData.dll [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab [YInstStarter Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL CODEBASE = http://download.yahoo.com/dl/installs/yinst0309.cab [Persits Software XUpload] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\XUPLOAD.OCX CODEBASE = http://www.dotphoto.com/XUpload.ocx [{62475759-9E84-458E-A1AB-5D2C442ADFDE}] CODEBASE = http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe [iPIX ActiveX Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\IPIXX.OCX CODEBASE = http://www.ipix.com/viewers/ipixx.cab [TDServer Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\TDSERVER.OCX CODEBASE = http://sify.com/eot/tdserver.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run nhcginaxu.exe = C:\WINDOWS\SYSTEM\nhcginaxu.exe -------------------------------------------------- End of report, 6,272 bytes Report generated in 0.083 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\AUPDATE.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 9:42:55 PM, on 2/25/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUCOMSERVER.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE C:\WINDOWS\SYSTEM\XL.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.dll O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dotphoto.com/XUpload.ocx O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://sify.com/eot/tdserver.cab End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
02-25-2005, 07:56 PM
|
#5 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,443
OS: 2000 Pro; XP Pro; XP Home
|
I am reviewing your reply with the guidance of our expert Analysts. I'll return ASAP with more info.
|
|
|
|
|
02-26-2005, 07:02 AM
|
#6 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,443
OS: 2000 Pro; XP Pro; XP Home
|
Go to Start->Settings->Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check Disable System Restore. Click OK. Click Yes when you are prompted to restart Windows. When we have confirmed that your log file is clean, you may enable System Restore again by following the same steps as above except you should uncheck Disable System Restore.
Now restart your system. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Do not run it yet. Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready): Open up HijackThis and go to Config->Misc Tools and check the first two boxes there. Now click on the Generate StartupList log button. Post that log in your next post. Right click on this link and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on Silent Runners to run it. This will take a few minutes. It will create a file called Startup Programs followed by your computer name and current date. Open up that file and post all the contents here in your next post. Download Find-qoologic. Unzip the files to your Desktop. Open the qoologic folder and run the qoologic.bat file. Wait a few minutes for it to finish. When the dos window disappears, go to your C: drive and open up the log.txt file. Copy and paste the whole log in your next post. Download DllCompare and run it. Click on the Locate.com button. Wait a few seconds and then click on the Compare button. Let it run, then click on Make a log of what was found. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now run DllCompare. Download Find It and unzip it. Open up the folder and double click on the find.bat file. Let it run for a while. After it's finished, open up file. Copy and paste the contents to the forums. Post all of the logs in your next post. We need them all to get a fix for this infection. |
|
|
|
|
02-26-2005, 08:08 AM
|
#7 (permalink) |
|
Member
Join Date: Jan 2005
Posts: 33
OS: Windows ME
|
HijackThis StartupList Log
StartupList report, 2/26/2005, 10:00:18 AM StartupList version: 1.52.2 Started from : C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE Detected: Windows ME (Win9x 4.90.3000) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options * Including empty and uninteresting sections * Showing rarely important sections ================================================== Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\DIGSTREAM\DIGSTREAM.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\WINDOWS\SYSTEM\XL.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\WINDOWS\Start Menu\Programs\StartUp] *No files* Shell folders AltStartup: *Folder not found* User shell folders Startup: *Folder not found* User shell folders AltStartup: *Folder not found* Shell folders Common Startup: [C:\WINDOWS\All Users\Start Menu\Programs\StartUp] *No files* Shell folders Common AltStartup: *Folder not found* User shell folders Common Startup: *Folder not found* User shell folders Alternate Common Startup: *Folder not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ScanRegistry = C:\WINDOWS\scanregw.exe /autorun TaskMonitor = C:\WINDOWS\taskmon.exe PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s SystemTray = SysTray.Exe LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme UpdReg = C:\WINDOWS\Updreg.exe NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize nwiz = nwiz.exe /install DIGStream = C:\Program Files\DIGStream\digstream.exe ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" devldr16.exe = C:\WINDOWS\SYSTEM\devldr16.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme SchedulingAgent = mstask.exe *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run [OptionalComponents] *No values found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- File association entry for .EXE: HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .COM: HKEY_CLASSES_ROOT\comfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .BAT: HKEY_CLASSES_ROOT\batfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .PIF: HKEY_CLASSES_ROOT\piffile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .SCR: HKEY_CLASSES_ROOT\scrfile\shell\open\command (Default) = "%1" /S -------------------------------------------------- File association entry for .HTA: HKEY_CLASSES_ROOT\htafile\shell\open\command (Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %* -------------------------------------------------- File association entry for .TXT: HKEY_CLASSES_ROOT\txtfile\shell\open\command (Default) = C:\WINDOWS\NOTEPAD.EXE %1 -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [SetupcPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf [AppletsPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf [PerUser_CVT_Inis] StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf [FontsPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf [PerUser_HNW_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_HNW_Inis 64 C:\WINDOWS\INF\ICS.inf [PerUser_ICW_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] * StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP [{89820200-ECBD-11cf-8B85-00AA005B4395}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [PerUser_moviemaker] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_moviemaker 64 C:\WINDOWS\INF\moviemk.inf [>PerUser_MSN_Clean] * StubPath = C:\WINDOWS\msnmgsr1.exe [{CA0A4247-44BE-11d1-A005-00805F8ABE06}] * StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf [PerUser_Msinfo] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf [PerUser_Msinfo2] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf [MotownMmsysPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf [MotownAvivideoPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf [PerUser_Base] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf [SamplerPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SamplerPerUser 64 C:\WINDOWS\INF\sampler.inf [ShellPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf [Shell2PerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf [PerUser_winbase_Links] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf [PerUser_winapps_Links] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf [PerUser_LinkBar_URLs] * StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L [TapiPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf [PerUser_MSWordPad_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf [PerUserOldLinks] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf [MmoptRegisterPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf [PerUser_CDPlayer_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf [OlsPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf [OlsMsnPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf [PerUser_PCHealth] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PCHealth 64 C:\WINDOWS\INF\pchealth.inf [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub [PerUser_Paint_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf [PerUser_Calc_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf [PerUser_Enable_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 C:\WINDOWS\INF\enable.inf [PerUser_Wingames_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\games.inf [PerUser_ZoneGame_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ZoneGame_Inis 64 C:\WINDOWS\INF\games.inf [PerUser_PBGame_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PBGame_Inis 64 C:\WINDOWS\INF\games.inf [{5945c046-1e7d-11d1-bc44-00c04fd912be}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser [MotownRecPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf [PerUser_Vol] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf [MotownMPlayPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\motown.inf [PerUser_RNA_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf [PerUser_Dialer_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf [{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95 [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C} [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02} [OlsAolPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\WINDOWS\INF\ols.inf [OlsAttPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\WINDOWS\INF\ols.inf [OlsProdigyPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\WINDOWS\INF\ols.inf [OlsEarthlinkPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsEarthlinkPerUser 64 C:\WINDOWS\INF\ols.inf [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] * StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] * StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP [NetservrPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection NetservrPerUser 64 C:\WINDOWS\INF\netservr.inf -------------------------------------------------- Enumerating ICQ Agent Autostart apps: HKCU\Software\Mirabilis\ICQ\Agent\Apps *Registry key not found* -------------------------------------------------- Load/Run keys from C:\WINDOWS\WIN.INI: load= run= -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=Explorer.exe SCRNSAVE.EXE= drivers=mmsystem.dll power.drv -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present -------------------------------------------------- C:\WINDOWS\WININIT.INI listing: *File not found* -------------------------------------------------- C:\WINDOWS\WININIT.BAK listing: (Created 25/2/2005, 15:34:8) [Rename] NUL=c:\_RESTORE\TEMP\A0169280.CPY NUL=c:\_RESTORE\TEMP\A0169279.CPY -------------------------------------------------- C:\AUTOEXEC.BAT listing: SET windir=C:\WINDOWS SET winbootdir=C:\WINDOWS SET COMSPEC=C:\WINDOWS\COMMAND.COM SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND SET PROMPT=$p$g SET TEMP=C:\WINDOWS\TEMP SET TMP=C:\WINDOWS\TEMP -------------------------------------------------- C:\CONFIG.SYS listing: *File is empty* -------------------------------------------------- C:\WINDOWS\WINSTART.BAT listing: C:\WINDOWS\tmpcpyis.bat -------------------------------------------------- C:\WINDOWS\DOSSTART.BAT listing: *File not found* -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Verifying REGEDIT.EXE integrity: - Regedit.exe found in C:\WINDOWS - .reg open command is normal (regedit.exe %1) - Company name OK: 'Microsoft Corporation' - Original filename OK: 'REGEDIT.EXE' - File description: 'Registry Editor' Registry check passed -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7} -------------------------------------------------- Enumerating Task Scheduler jobs: Tune-up Application Start.job PCHealth Scheduler for Data Collection.job Maintenance-Defragment programs.job Maintenance-ScanDisk.job Symantec NetDetect.job Maintenance-Disk cleanup.job Norton AntiVirus - Scan my computer.job -------------------------------------------------- Enumerating Download Program Files: [Microsoft XML Parser for Java] OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd [DirectAnimation Java Classes] OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd [Update Class] InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL CODEBASE = http://v4.windowsupdate.microsoft.co...886.6186921296 [ActiveDataObj Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVEDATA.DLL CODEBASE = https://www-secure.symantec.com/tech...ActiveData.cab [ActiveDataInfo Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SYMADATA.DLL CODEBASE = https://www-secure.symantec.com/tech...a/SymAData.dll [Yahoo! Literati] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SYMADATA.DLL CODEBASE = http://download.games.yahoo.com/game...ts/y/tt3_x.cab OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Literati.osd [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab [YInstStarter Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL CODEBASE = http://download.yahoo.com/dl/installs/yinst0309.cab [Java Plug-in 1.4.2_02] InProcServer32 = C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll CODEBASE = http://java.sun.com/products/plugin/...ndows-i586.cab [Java Plug-in 1.4.2_02] InProcServer32 = C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll CODEBASE = http://java.sun.com/products/plugin/...ndows-i586.cab [Persits Software XUpload] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\XUPLOAD.OCX CODEBASE = http://www.dotphoto.com/XUpload.ocx [{62475759-9E84-458E-A1AB-5D2C442ADFDE}] CODEBASE = http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe [iPIX ActiveX Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\IPIXX.OCX CODEBASE = http://www.ipix.com/viewers/ipixx.cab [TDServer Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\TDSERVER.OCX CODEBASE = http://sify.com/eot/tdserver.cab -------------------------------------------------- Enumerating Winsock LSP files: NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll Protocol #2: C:\WINDOWS\SYSTEM\msafd.dll Protocol #3: C:\WINDOWS\SYSTEM\msafd.dll Protocol #4: C:\WINDOWS\SYSTEM\msafd.dll Protocol #5: C:\WINDOWS\SYSTEM\rsvpsp.dll Protocol #6: C:\WINDOWS\SYSTEM\rsvpsp.dll -------------------------------------------------- Enumerating Win9x VxD services: VNETSUP: vnetsup.vxd VPOWERD: *VPOWERD NDIS: ndis.vxd JAVASUP: JAVASUP.VXD CONFIGMG: *CONFIGMG NTKern: *NTKERN VWIN32: *VWIN32 VFBACKUP: *VFBACKUP VCOMM: *VCOMM COMBUFF: *COMBUFF IFSMGR: *IFSMGR IOS: *IOS MTRR: *MTRR SPOOLER: *SPOOLER UDF: *UDF VFAT: *VFAT VCACHE: *VCACHE VCOND: *VCOND VCDFSD: *VCDFSD VXDLDR: *VXDLDR VDEF: *VDEF VPICD: *VPICD VTD: *VTD REBOOT: *REBOOT VDMAD: *VDMAD VSD: *VSD V86MMGR: *V86MMGR PAGESWAP: *PAGESWAP DOSMGR: *DOSMGR VMPOLL: *VMPOLL SHELL: *SHELL PARITY: *PARITY BIOSXLAT: *BIOSXLAT VMCPD: *VMCPD VTDAPI: *VTDAPI PERF: *PERF VNETBIOS: vnetbios.vxd VREDIR: vredir.vxd DFS: dfs.vxd VSERVER: vserver.vxd SYMTDI: SYMTDI.VXD -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run nhcginaxu.exe = C:\WINDOWS\SYSTEM\nhcginaxu.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run *Registry key not found* -------------------------------------------------- End of report, 23,357 bytes Report generated in 0.250 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only Silent Runners Log "Silent Runners.vbs", revision 29, launched at: 10:03 Output limited to non-default values, except where indicated by "{++}" Operating System: Windows Millennium Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS] "TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS] "PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS] "SystemTray" = "SysTray.Exe" [MS] "LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS] "UpdReg" = "C:\WINDOWS\Updreg.exe" ["Creative Technology Ltd."] "NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "DIGStream" = "C:\Program Files\DIGStream\digstream.exe" ["Walt Disney Internet Group"] "ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"] "devldr16.exe" = "C:\WINDOWS\SYSTEM\devldr16.exe" ["Creative Technology Ltd."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++} "LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS] "SchedulingAgent" = "mstask.exe" [MS] "*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS] "ccEvtMgr" = ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] "ScriptBlocking" = ""C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg" ["Symantec Corporation"] HKLM\Software\Microsoft\Active Setup\Installed Components\ "PerUser_CVT_Inis\(Default)" = "Windows Setup - FAT32 Converter" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID] -> resolves to: {CLSID}\InprocServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "AUHook" = "{BCBCD383-3E06-11D3-91A9-00C04F68105C}" -> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\SYSTEM\AUHOOK.DLL" [MS] WINSTART.BAT contents: ---------------------- @C:\WINDOWS\tmpcpyis.bat [file not found] Enabled Scheduled Tasks: ------------------------ "Tune-up Application Start" -> launches: "walign" [MS] "PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS] "Symantec NetDetect" -> launches: "C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE" ["Symantec Corporation"] "Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\WINDOWS\ALLUSE~1\APPLIC~1\SYMANTEC\NORTON~1\TASKS\MYCOMP.SCA" ["Symantec Corporation"] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- qoologic log ECHO is on PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ Files Found in all users startup Folder............ ------------------------ dllcompare log * DLLCompare Log version() Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ C:\WINDOWS\SYSTEM\nticdm~1.dll Tue Oct 19 2004 10:25:42a ...HR 1,024 1.00 K ________________________________________________ 849 items found: 849 files (1 H/S), 0 directories. Total of file sizes: 168,319,121 bytes 160.52 M --------------------End log--------------------- find it did not work properly - kept asking to add stuff to the registry |
|
|
|
|
02-26-2005, 10:41 AM
|
#9 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,443
OS: 2000 Pro; XP Pro; XP Home
|
I am reviewing your reply with the guidance of our expert Analysts. I'll return ASAP with more info.
|
|
|
|
|
02-26-2005, 12:04 PM
|
#10 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,443
OS: 2000 Pro; XP Pro; XP Home
|
For your FindIt, click on this link . Please post that log in this thread.
Last edited by tetonbob; 02-26-2005 at 12:05 PM. |
|
|
|
