|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
03-01-2005, 01:52 AM
|
#1 (permalink) |
|
Registered User
Join Date: Feb 2005
Location: kent UK
Posts: 157
OS: xp
|
Searchdom, loaders and virus Influx 'HELP'?
unfortunatley 'Searchdom' loaded on my home pc last week- got broadband yesterday and there was an influx of trojans, worms and viruses, Norton managed to delete most of them and the adware found many nasty things going on - but alas even when the pc is off line the popups try to pop up and internet explorer is constantly being opened and trying to connect. My pc runs fine for a while then slowly grinds to a serious halt - can not even get the task manager to work - SOMEONE PLEASE HELP.
THANKS STEVE PS. Am at work so will not be able to sort any of this out until this eve cheers anyway. Logfile of HijackThis v1.99.1 Scan saved at 19:14:07, on 28/02/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\carpserv.exe C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE C:\WINDOWS\System32\CTHELPER.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\atwtusb.exe C:\WINDOWS\system.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\WINDOWS\System32\csrssp.exe C:\WINDOWS\fvutsu.exe C:\WINDOWS\a65d.exe C:\WINDOWS\System32\SNSS32.EXE C:\WINDOWS\newsd.exe C:\WINDOWS\System32\rant.exe C:\WINDOWS\System32\run.exe C:\WINDOWS\System32\pingppac.exe C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe C:\WINDOWS\System32\ctfmon.exe C:\unzipped\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdom.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdom.net/?re= (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdom.net/?re= (obfuscated) O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta O4 - HKLM\..\Run: [NvCplSystem] C:\WINDOWS\system.exe O4 - HKLM\..\Run: [FX] C:\WINDOWS\Downloaded Program Files\ieloader.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [Kg5elGi4] c:\windows\temp\Kg5elGi4.exe O4 - HKLM\..\Run: [NAV Auto Updates] csrssp.exe O4 - HKLM\..\Run: [bkITDO] C:\WINDOWS\fvutsu.exe O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteexk32.exe O4 - HKLM\..\Run: [popuppers65] C:\WINDOWS\a65d.exe O4 - HKLM\..\Run: [Dot.net Networking] SNSS32.EXE O4 - HKLM\..\Run: [newsfeed12] C:\WINDOWS\newsd.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [rant] rant.exe O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe O4 - HKLM\..\Run: [runs] run.exe O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM\..\Run: [PPPOEO] pingppac.exe O4 - HKLM\..\RunServices: [NAV Auto Updates] csrssp.exe O4 - HKLM\..\RunServices: [Dot.net Networking] SNSS32.EXE O4 - HKLM\..\RunServices: [rant] rant.exe O4 - HKLM\..\RunServices: [runs] run.exe O4 - HKLM\..\RunServices: [PPPOEO] pingppac.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [NAV Auto Updates] csrssp.exe O4 - HKCU\..\Run: [rant] rant.exe O4 - HKCU\..\Run: [runs] run.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O13 - DefaultPrefix: http://%77%77%77%2E%73%65%61%72%63%6...%6E%65%74/?re= O13 - WWW Prefix: http://%77%77%77%2E%73%65%61%72%63%6...%6E%65%74/?re= O15 - Trusted Zone: *.media-motor.net O15 - Trusted Zone: *.popuppers.com O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
03-01-2005, 05:21 AM
|
#3 (permalink) |
|
Member
Join Date: Jan 2005
Location: Bristol,uk
Posts: 154
OS: win xp pro
|
Welcome to TSF,
I am currently reviewing your log. Please note that this is under the supervision of an expert analyst and I will be back with a fix for your problem a.s.a.p. Please try to check back to this thread as regularly as possible. |
|
|
|
|
03-01-2005, 10:14 AM
|
#4 (permalink) |
|
Member
Join Date: Jan 2005
Location: Bristol,uk
Posts: 154
OS: win xp pro
|
Hi steveybob,
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds. Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation. Download CWShredder and click on 'Fix' (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here. Right click on this link and choose Save As. Save it to your desktop. Right click on that file and choose Install. You may delete it afterwards. Download istbar removal tool and save it to your desktop. Open FxIstbar and then click ok. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\system.exe C:\WINDOWS\System32\csrssp.exe C:\WINDOWS\fvutsu.exe C:\WINDOWS\a65d.exe C:\WINDOWS\System32\SNSS32.EXE C:\WINDOWS\newsd.exe C:\WINDOWS\System32\rant.exe C:\WINDOWS\System32\run.exe C:\WINDOWS\System32\pingppac.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: ieloader Preview AdService IST Service Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdom.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdom.net/?re= (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdom.net/?re= (obfuscated) O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O4 - HKLM\..\Run: [NvCplSystem] C:\WINDOWS\system.exe O4 - HKLM\..\Run: [FX] C:\WINDOWS\Downloaded Program Files\ieloader.exe O4 - HKLM\..\Run: [Kg5elGi4] c:\windows\temp\Kg5elGi4.exe O4 - HKLM\..\Run: [NAV Auto Updates] csrssp.exe O4 - HKLM\..\Run: [bkITDO] C:\WINDOWS\fvutsu.exe O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteexk32.exe O4 - HKLM\..\Run: [popuppers65] C:\WINDOWS\a65d.exe O4 - HKLM\..\Run: [Dot.net Networking] SNSS32.EXE O4 - HKLM\..\Run: [newsfeed12] C:\WINDOWS\newsd.exe O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe O4 - HKLM\..\Run: [runs] run.exe O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM\..\Run: [PPPOEO] pingppac.exe O4 - HKLM\..\RunServices: [NAV Auto Updates] csrssp.exe O4 - HKLM\..\RunServices: [Dot.net Networking] SNSS32.EXE O4 - HKLM\..\RunServices: [rant] rant.exe O4 - HKLM\..\RunServices: [runs] run.exe O4 - HKLM\..\RunServices: [PPPOEO] pingppac.exe O4 - HKCU\..\Run: [NAV Auto Updates] csrssp.exe O4 - HKCU\..\Run: [rant] rant.exe O4 - HKCU\..\Run: [runs] run.exe O13 - DefaultPrefix: http://%77%77%77%2E%73%65%61%72%63%...6E%65%7 4/?re= O13 - WWW Prefix: http://%77%77%77%2E%73%65%61%72%63%...6E%65%7 4/?re= O15 - Trusted Zone: *.media-motor.net O15 - Trusted Zone: *.popuppers.com Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system.exe C:\WINDOWS\System32\csrssp.exe C:\WINDOWS\fvutsu.exe C:\WINDOWS\a65d.exe C:\WINDOWS\System32\SNSS32.EXE C:\WINDOWS\newsd.exe C:\WINDOWS\System32\rant.exe C:\WINDOWS\System32\run.exe C:\WINDOWS\System32\pingppac.exe C:\WINDOWS\Downloaded Program Files\ieloader.exe C:\windows\system32\eliteexk32.exe C:\Program Files\Preview AdService C:\Program Files\ISTsvc rant.exe->>>>>> Do a search for this one. run.exe->>>>>>>Do a search for this one. Run cleanup again Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. |
|
|
|
|
03-01-2005, 03:48 PM
|
#5 (permalink) |
|
Registered User
Join Date: Feb 2005
Location: kent UK
Posts: 157
OS: xp
|
have killed some buit not all
Hello again
thanks for your help have done as yuou requested got rid off some but not all - here is the log below. would the fact that Norton professional protects some files in a protected recycle bin. if so i cant work out how to switch this function off? any ideas? Alos think more .exe files have infiltrated the pc. have e.g. the first processes i hope we can sort it out. thanks again - ive found it rather interesting although slightly worrying. Logfile of HijackThis v1.99.1 Scan saved at 22:38:52, on 01/03/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\carpserv.exe C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE C:\WINDOWS\System32\CTHELPER.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\atwtusb.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\unzipped\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdom.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdom.net/?re= (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdom.net/?re= (obfuscated) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Startup: Resume Windows Update Installation.lnk = ? O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O13 - DefaultPrefix: http://%77%77%77%2E%73%65%61%72%63%6...%6E%65%74/?re= O13 - WWW Prefix: http://%77%77%77%2E%73%65%61%72%63%6...%6E%65%74/?re= O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe |
|
|
|
|
03-02-2005, 06:28 AM
|
#6 (permalink) |
|
Member
Join Date: Jan 2005
Location: Bristol,uk
Posts: 154
OS: win xp pro
|
Hi Steve,
For the CWSchredder fix did you run the scan and click ok to fix? Please run CWSchredder again. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). [/b]Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdom.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdom.net/?re= (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdom.net/?re= (obfuscated) O13 - DefaultPrefix: http://%77%77%77%2E%73%65%61%72%63%...6E%65%7 4/?re= O13 - WWW Prefix: http://%77%77%77%2E%73%65%61%72%63%...6E%65%7 4/?re= Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. NOTE. You can "Right Click" the Recycle Bin, and delete both the Norton Protected Files, and the Recycle Bin. The Norton Protected Files, will remain on your system for 7 days default, before they are deleted, unless you purge them manually. Download StartDreck Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Running Process -> List Modules System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. |
|
|
|
|
03-02-2005, 09:58 AM
|
#7 (permalink) |
|
Registered User
Join Date: Feb 2005
Location: kent UK
Posts: 157
OS: xp
|
done that searchdom still there
hello again
got snowed out of work - (im a college lecturer), so have time to sort this out. im very glad your helping me out- cheers. I did what you asked and i still have searchdom on my hjtlog and cannot connect to the internet without letting it through the firewall to get to here etc. Below is the new hijack this log form normal mode, and below that is the startdrek log. hope you can see the probs. Logfile of HijackThis v1.99.1 Scan saved at 16:27:17, on 02/03/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\carpserv.exe C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE C:\WINDOWS\System32\CTHELPER.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\atwtusb.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\unzipped\hijackthis\HijackThis.exe C:\WINDOWS\System32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdom.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdom.net/?re= (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdom.net/?re= (obfuscated) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Startup: Resume Windows Update Installation.lnk = ? O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O13 - DefaultPrefix: http://%77%77%77%2E%73%65%61%72%63%6...%6E%65%74/?re= O13 - WWW Prefix: http://%77%77%77%2E%73%65%61%72%63%6...%6E%65%74/?re= O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe here is the startdrek log done after this last hjtlog. thanks again StartDreck (build 2.1.7 public stable) - 2005-03-02 @ 16:45:55 (GMT +00:00) Platform: Windows XP (Win NT 5.1.2600 Service Pack 1) Internet Explorer: 6.0.2800.1106 Logged in as Steve at HOME »Registry »Run Keys »Current User »Run *MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background *RemoteCenter=C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE *Steam= *ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe »RunOnce »Default User »Run *NAV Auto Updates=csrssp.exe *rant=rant.exe *runs=run.exe »RunOnce »Local Machine »Run *ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe *CARPService=carpserv.exe *CTSysVol=C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r *CTDVDDET=C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE *CTHelper=CTHELPER.EXE *AsioReg=REGSVR32.EXE /S CTASIO.DLL *SBDrvDet=C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r *UpdReg=C:\WINDOWS\UpdReg.EXE *PinnacleDriverCheck=C:\WINDOWS\System32\PSDrvCheck.exe *ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" *ccRegVfy="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" *Advanced Tools Check=C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE *atwtusb=atwtusb.exe beta *QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime *SpeedTouch USB Diagnostics="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon *Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMon.exe *SmcService=C:\PROGRA~1\Sygate\SPF\smc.exe -startgui +OptionalComponents +MSFS *Installed=1 +MAPI *Installed=1 *NoChange=1 +MAPI *Installed=1 *NoChange=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat *batfile="%1" %* +.com *comfile="%1" %* +.disabled *SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1" +.exe *exefile="%1" %* +.hta *htafile=C:\WINDOWS\System32\mshta.exe "%1" %* +.htm *htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.html *htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.js *JSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.jse *JSEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.pif *piffile="%1" %* +.reg *regfile=regedit.exe "%1" +.scr *scrfile="%1" /S +.txt *txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 +.vbs *VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.vbe *VBEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.wsh *WSHFile=%SystemRoot%\System32\WScript.exe "%1" %* +.wsf *WSFFile=%SystemRoot%\System32\WScript.exe "%1" %* +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Windows Media Player/>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} *StubPath=C:\WINDOWS\INF\unregmp2.exe /ShowWMP +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c} *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE +Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS *StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE +Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} *StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +Windows Messenger/{5945c046-1e7d-11d1-bc44-00c04fd912be} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser +Microsoft Windows Media Player 8/{6BF52A52-394A-11d3-B153-00C04F79FAA6} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} *StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} *StubPath=%SystemRoot%\system32\ie4uinit.exe »Browser Helper Objects (LM) *{53707962-6F74-2D53-2644-206D7942484F} `InprocServer32=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll »Internet Explorer »Current User *Local Page=C:\WINDOWS\System32\blank.htm *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=http://www.searchdom.net *CustomizeSearch=http://%77%77%77%2E%73%65%61%72%63%68%64%6F%6D%2E%6E%65%74/?re= *SearchAssistant=http://%77%77%77%2E%73%65%61%72%63%68%64%6F%6D%2E%6E%65%74/?re= +SearchUrl *provider= »Default User *Local Page=C:\WINDOWS\System32\blank.htm *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=about:blank +SearchUrl *provider= »Local Machine *Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome *Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Local Page=%SystemRoot%\system32\blank.htm *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home *CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm *SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm »ShellServiceObjectDelayLoad (LM) *PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll *CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll *WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll *SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\System32\stobject.dll »Special NT Values »Current User *Load= *Run= *Programs=com exe bat pif cmd *SHELL= »Default User *Load= *Run= *Programs=com exe bat pif cmd *SHELL= »Local Machine *AppInit_DLLs= *SHELL=explorer.exe *Userinit=C:\WINDOWS\system32\userinit.exe, »Files »Autostart Folders »Current User *C:\Documents and Settings\Steve\Start Menu\Programs\Startup\desktop.ini *C:\Documents and Settings\Steve\Start Menu\Programs\Startup\Resume Windows Update Installation.lnk »Default User *C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini »Local Machine *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk »INI-Files »WIN.INI\[windows] *LOAD= *RUN= »SYSTEM.INI\[boot] *SHELL=explorer.exe »Text Files *C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS `[operating systems] `multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect *C:\msdos.sys *C:\config.sys *C:\WINDOWS\System32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 *C:\WINDOWS\wininit.ini `[Rename] `NUL= *C:\WINDOWS\System32\drivers\etc\hosts `127.0.0.1 localhost `127.0.0.1 auto.search.msn.com »Program Files *C:\ntldr *C:\ntdetect.com *C:\io.sys *C:\WINDOWS\System32\win.com *C:\WINDOWS\explorer.exe »%PATH% Companion Files +C:\cxtpls_loader.exe *C:\WINDOWS\System32\cxtpls_loader.exe +C:\WINDOWS\System32\notepad.exe *C:\WINDOWS\NOTEPAD.EXE +C:\WINDOWS\System32\taskman.exe *C:\WINDOWS\TASKMAN.EXE +C:\WINDOWS\System32\winhlp32.exe *C:\WINDOWS\winhlp32.exe »System/Drivers »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User |
|
|
|
|
03-03-2005, 12:57 AM
|
#8 (permalink) |
|
Member
Join Date: Jan 2005
Location: Bristol,uk
Posts: 154
OS: win xp pro
|
Hi Steve,
Download Hoster (http://www.greyknight17.com/spy/Hoster.exe) and run it. Choose the 'Restore Original Hosts' button and press OK. Reboot into Safe Mode. Run StartDreck again in the same fashion. Highlight these entries one at a time and click on the Delete button: *Start Page=http://www.searchdom.net *CustomizeSearch=http://%77%77%77%2E%73%65%61%72%63%68%64%6F%6D%2E%6E%65%7 4/?re= *SearchAssistant=http://%77%77%77%2E%73%65%61%72%63%68%64%6F%6D%2E%6E%65%7 4/?re= *Start Page=about:blank Close StartDreck and reboot. Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. Run HijackThis again Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. Also could you please send a new StartDreck log. |
|
|
|
|
03-03-2005, 03:55 AM
|
#9 (permalink) |
|
Registered User
Join Date: Feb 2005
Location: kent UK
Posts: 157
OS: xp
|
ok - well here it is
Hey Vadar how you doing - ok i hope-
day off again for me - snow! here below are all the things you requested - i still have to go through search dom to get to the interenet - and norton detected but deleted spybot worm twice while i was using the tds scan. But it found some things - there are also some new things in the hjtlog. will this ever end????? Also sometimes when i connect and get to techforum i get a message from sygate firewall saying that an aplication has been hijacked?????? im very greatful for all that you and tech support are doing though. hope to hear from you again real soon regards steve 10:00:15 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 10:00:15 [Init] Started 03-03-05 10:00:15 GMT Standard Time (UTC: 0), Internet Time @458.51 10:00:15 [Init] Loading TDS-3 Systems ... 10:00:15 [Init] Token successfully adjusted. 10:00:15 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 10:00:16 [Init] • Plugins : OK. Loaded 13 10:00:16 [Init] • Exec Protection : Not Installed 10:00:16 [Init] WARNING: Your Radius.TD3 database needs to be updated! 10:00:16 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 10:00:16 [Init] Licensed users can use the Update facility from the TDS menu 10:00:16 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 10:00:19 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 10:00:19 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other] 10:00:19 [Init] Radius Systems loaded. <Databases updated 14-10-2004> 10:00:19 [Init] TDS-3 Ready. <Steve@127.0.0.1 - United Kingdom> 10:00:19 [Tip Of The Day] DiamondCS have, and continue to develop a wide range of software, including the world's original and still the strongest BO2K scanner. Visit http://www.diamondcs.com.au for free downloads! 10:00:19 [TDS] Good morning Steve. 10:00:22 [Mutex Memory Scan] Started... 10:00:24 [Mutex Memory Scan] Finished (no trojan mutexes found). 10:00:24 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 10:00:59 [CRC32] Started - verifying 29 files ... 10:01:00 [CRC32] File doesn't exist: C:\autoexec.bat 10:01:03 [CRC32] Test finished. 10:02:00 [Memory Scan] Memory scan started, please wait a moment ... 10:02:01 [Memory Scan] Memory scan complete. 10:02:01 [Mutex Memory Scan] Started... 10:02:03 [Mutex Memory Scan] Finished (no trojan mutexes found). 10:02:03 [Trace Scan] Started... 10:02:07 [Trace Scan] Finished. 10:02:07 [ServiceScan] Scanning for services and drivers ... 10:02:11 [ServiceScan] Scanned 338 services and drivers. 10:02:11 [File Scan] Scanning in A:\ ... 10:02:12 [File Scan] Scanned 0 files: 0 alarms in 1.03125 seconds (Avg 1. files/sec) 10:02:12 [File Scan] Scanning in C:\ ... 10:25:47 [File Scan] Scanned 33628 files: 8 alarms in 1414.844 seconds (Avg 24.77 files/sec) 10:25:47 [File Scan] Scanning in D:\ ... 10:25:47 [File Scan] Scanned 0 files: 8 alarms in 0 seconds (Avg -1.#IND files/sec) 10:25:47 [File Scan] Scanning in E:\ ... 10:25:47 [File Scan] Scanned 0 files: 8 alarms in 0 seconds (Avg -1.#IND files/sec) 10:25:47 [File Scan] Scanning in F:\ ... 10:25:47 [File Scan] Scanned 0 files: 8 alarms in 0 seconds (Avg -1.#IND files/sec) 10:25:47 [Scan] Finished. Scan Control Dumped @ 10:29:25 03-03-05 Positive identification: Trojan.Win32.Septic.a Dropper File: c:\sepinst.exe Suspicious Filename: Dual extensions File: c:\windows\cxtpls_loader.sfx.exe Positive identification <Adv>: Possible WebDownloader File: c:\windows\pi1_25.exe Positive variant identification: Juntador Beta.f (Variant) File: c:\windows\system32\msfwe1.exe Positive variant identification: Juntador Beta.f (Variant) File: c:\windows\system32\navupdts.exe Positive identification: Trojan.Win32.VB.kq Dropper File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\4ooec3mu\mw_4s_stub[1].exe Positive identification (DLL): Adware.Toolbar.SideFind.a BHO (dll) File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\4ooec3mu\sfbho13[1].dll Positive identification <Adv>: Possible WebDownloader File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\k9841ul0\pi1_25[1].exe ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\Program Files\Sygate\SPF\smc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 10:31:33, on 03/03/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\atwtusb.exe C:\unzipped\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdom.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdom.net/?re= (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdom.net/?re= (obfuscated) O1 - Hosts: 64.91.255.87 www.dcsresearch.com O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta O4 - Startup: Resume Windows Update Installation.lnk = ? O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O13 - DefaultPrefix: http://%77%77%77%2E%73%65%61%72%63%6...%6E%65%74/?re= O13 - WWW Prefix: http://%77%77%77%2E%73%65%61%72%63%6...%6E%65%74/?re= O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe End of KRC HijackThis Analyzer Log. ==================================================================== StartDreck (build 2.1.7 public stable) - 2005-03-03 @ 10:43:05 (GMT +00:00) Platform: Windows XP (Win NT 5.1.2600 Service Pack 1) Internet Explorer: 6.0.2800.1106 Logged in as Steve at HOME »Registry »Run Keys »Current User »Run *MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background *RemoteCenter=C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE *Steam= *ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe »RunOnce »Default User »Run *NAV Auto Updates=csrssp.exe *rant=rant.exe *runs=run.exe »RunOnce »Local Machine »Run *ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe *CARPService=carpserv.exe *CTSysVol=C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r *CTDVDDET=C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE *CTHelper=CTHELPER.EXE *AsioReg=REGSVR32.EXE /S CTASIO.DLL *SBDrvDet=C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r *UpdReg=C:\WINDOWS\UpdReg.EXE *PinnacleDriverCheck=C:\WINDOWS\System32\PSDrvCheck.exe *ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" *ccRegVfy="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" *Advanced Tools Check=C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE *atwtusb=atwtusb.exe beta *QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime *SpeedTouch USB Diagnostics="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon *Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMon.exe *SmcService=C:\PROGRA~1\Sygate\SPF\smc.exe -startgui *SSC_UserPrompt=C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe +OptionalComponents +MSFS *Installed=1 +MAPI *Installed=1 *NoChange=1 +MAPI *Installed=1 *NoChange=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat *batfile="%1" %* +.com *comfile="%1" %* +.disabled *SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1" +.exe *exefile="%1" %* +.hta *htafile=C:\WINDOWS\System32\mshta.exe "%1" %* +.htm *htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.html *htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.js *JSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.jse *JSEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.pif *piffile="%1" %* +.reg *regfile=regedit.exe "%1" +.scr *scrfile="%1" /S +.txt *txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 +.vbs *VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.vbe *VBEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.wsh *WSHFile=%SystemRoot%\System32\WScript.exe "%1" %* +.wsf *WSFFile=%SystemRoot%\System32\WScript.exe "%1" %* +.lnk `lnkfile= [key or value does not exist] »Browser Helper Objects (LM) *{53707962-6F74-2D53-2644-206D7942484F} `InprocServer32=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll »Files »Autostart Folders »Current User *C:\Documents and Settings\Steve\Start Menu\Programs\Startup\desktop.ini *C:\Documents and Settings\Steve\Start Menu\Programs\Startup\Resume Windows Update Installation.lnk »Default User *C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini »Local Machine *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk »INI-Files »WIN.INI\[windows] *LOAD= *RUN= »SYSTEM.INI\[boot] *SHELL=explorer.exe »Text Files *C:\boot.ini *C:\msdos.sys *C:\config.sys *C:\WINDOWS\System32\config.nt *C:\WINDOWS\wininit.ini *C:\WINDOWS\System32\drivers\etc\hosts »System/Drivers »Running Processes +0=<idle> +4=<system> +404=\SystemRoot\System32\smss.exe +664=\??\C:\WINDOWS\system32\csrss.exe +696=\??\C:\WINDOWS\system32\winlogon.exe +740=C:\WINDOWS\system32\services.exe +752=C:\WINDOWS\system32\lsass.exe +900=C:\WINDOWS\System32\Ati2evxx.exe +924=C:\WINDOWS\system32\svchost.exe +964=C:\WINDOWS\System32\svchost.exe +1004=C:\Program Files\Sygate\SPF\smc.exe +1168=C:\WINDOWS\System32\svchost.exe +1232=C:\WINDOWS\System32\svchost.exe +1432=C:\WINDOWS\system32\spoolsv.exe +1460=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe +1620=C:\WINDOWS\System32\alg.exe +1644=C:\WINDOWS\System32\CTsvcCDA.exe +1668=C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe +1700=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe +1736=C:\Program Files\Norton AntiVirus\navapsvc.exe +1788=C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE +1960=C:\WINDOWS\System32\svchost.exe +168=C:\WINDOWS\System32\MsPMSPSv.exe +548=C:\WINDOWS\Explorer.EXE +560=C:\WINDOWS\System32\wbem\wmiprvse.exe +1100=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe +1096=C:\WINDOWS\System32\carpserv.exe +1108=C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe +1196=C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE +1140=C:\WINDOWS\System32\CTHELPER.EXE +1188=C:\Program Files\Common Files\Symantec Shared\ccApp.exe +1388=C:\WINDOWS\System32\atwtusb.exe +1552=C:\Program Files\QuickTime\qttask.exe +1592=C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe +1952=C:\Program Files\Messenger\msmsgs.exe +2068=C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE +2084=C:\WINDOWS\System32\ctfmon.exe +2124=C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe +2904=C:\WINDOWS\System32\wuauclt.exe +2496=C:\Program Files\Internet Explorer\iexplore.exe +2632=C:\WINDOWS\system32\NOTEPAD.EXE +2108=C:\Windows\System32\Notepad.exe +2696=C:\startdrek\StartDreck.exe »NT Services *Alerter Alerter running auto *Application Layer Gateway Service ALG running on demand *Application Management AppMgmt - on demand *ASP.NET State Service aspnet_state - on demand *Ati HotKey Poller Ati HotKey Poller running auto *ATI Smart ATI Smart - auto *Windows Audio AudioSrv running auto *Background Intelligent Transfer Service BITS - on demand *Computer Browser Browser running auto *Symantec Event Manager ccEvtMgr running auto *Symantec Password Validation Service ccPwdSvc - on demand *Indexing Service cisvc - on demand *ClipBook ClipSrv - on demand *COM+ System Application COMSysApp - on demand *Creative Service for CDROM Access Creative Service for running auto *Cryptographic Services CryptSvc running auto *DHCP Client Dhcp running auto *Logical Disk Manager Administrative Service dmadmin - on demand *Logical Disk Manager dmserver - on demand *DNS Client Dnscache running auto *EPSON Printer Status Agent2 EPSONStatusAgent2 running auto *Error Reporting Service ERSvc running auto *Event Log Eventlog running auto *COM+ Event System EventSystem running on demand *Fast User Switching Compatibility FastUserSwitchingCom running on demand *Help and Support helpsvc running auto *Human Interface Device Access HidServ - disabled *IMAPI CD-Burning COM Service ImapiService - on demand *Server lanmanserver running auto *Workstation lanmanworkstation running auto *TCP/IP NetBIOS Helper LmHosts running auto *Machine Debug Manager MDM running auto *Messenger Messenger running auto *NetMeeting Remote Desktop Sharing mnmsrvc - on demand *Distributed Transaction Coordinator MSDTC - on demand *Windows Installer MSIServer - on demand *Norton AntiVirus Auto Protect Service navapsvc running auto *Network DDE NetDDE - on demand *Network DDE DSDM NetDDEdsdm - on demand *Net Logon Netlogon - on demand *Network Connections Netman running on demand *Network Location Awareness (NLA) Nla running on demand *Norton Unerase Protection NProtectService running auto *NT LM Security Support Provider NtLmSsp - on demand *Removable Storage NtmsSvc - on demand *Plug and Play PlugPlay running auto *IPSEC Services PolicyAgent running auto *Protected Storage ProtectedStorage running auto *Remote Access Auto Connection Manager RasAuto - on demand *Remote Access Connection Manager RasMan running on demand *Remote Desktop Help Session Manager RDSessMgr - on demand *Routing and Remote Access RemoteAccess - disabled *Remote Procedure Call (RPC) Locator RpcLocator - on demand *Remote Procedure Call (RPC) RpcSs running auto *QoS RSVP RSVP - on demand *Security Accounts Manager SamSs running auto *ScriptBlocking Service SBService - auto *Smart Card Helper SCardDrv - on demand *Smart Card SCardSvr - on demand *Task Scheduler Schedule running auto *Secondary Logon seclogon running auto *System Event Notification SENS running auto *Internet Connection Firewall (ICF) / Internet C SharedAccess running auto `onnection Sharing (ICS) *Shell Hardware Detection ShellHWDetection running auto *Sygate Personal Firewall SmcService running auto *Symantec Network Drivers Service SNDSrvc - on demand *Print Spooler Spooler running auto *System Restore Service srservice - auto *SSDP Discovery Service SSDPSRV running on demand *Windows Image Acquisition (WIA) stisvc running auto *MS Software Shadow Copy Provider SwPrv - on demand *SymWMI Service SymWSC - auto *Performance Logs and Alerts SysmonLog - on demand *Telephony TapiSrv running on demand *Terminal Services TermService running on demand *Themes Themes running auto *Distributed Link Tracking Client TrkWks running auto *Upload Manager uploadmgr running auto *Universal Plug and Play Device Host upnphost - on demand *Uninterruptible Power Supply UPS - on demand *Volume Shadow Copy VSS - on demand *Windows Time W32Time running auto *WebClient WebClient running auto *Windows Management Instrumentation winmgmt running auto *WMDM PMSP Service WMDM PMSP Service running auto *Portable Media Serial Number WmdmPmSp running auto *WMI Performance Adapter WmiApSrv - on demand *Automatic Updates wuauserv running auto *Wireless Zero Configuration WZCSVC running auto »Application specific |
|
|
|
|
03-03-2005, 10:28 AM
|
#10 (permalink) |
|
Member
Join Date: Jan 2005
Location: Bristol,uk
Posts: 154
OS: win xp pro
|
Hi Steve, we will get there.
Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): c:\sepinst.exe c:\windows\cxtpls_loader.sfx.exe c:\windows\pi1_25.exe c:\windows\system32\msfwe1.exe c:\windows\system32\navupdts.exe Run cleanup again. Run CWSchredder again and click on 'Fix' (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdom.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdom.net/?re= (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdom.net/?re= (obfuscated) O1 - Hosts: 64.91.255.87 www.dcsresearch.com O13 - DefaultPrefix: http://%77%77%77%2E%73%65%61%72%63%...6E%65%7 4/?re= O13 - WWW Prefix: http://%77%77%77%2E%73%65%61%72%63%...6E%65%7 4/?re= You may fix that dcsresearch.com host entry if you want. It's added by the TDS-3 program and is not harmful. Run cleanup again Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. |
|
|
|
|
03-03-2005, 11:10 AM
|
#11 (permalink) |
|
Registered User
Join Date: Feb 2005
Location: kent UK
Posts: 157
OS: xp
|
hello again
did you see run.exe and rant.exe are back near the top of the last startdrek log?
i'll do what you asked and get back asap regards steve Its still there - amazing? this thing is slippery- hope this helps Vadar! would it be better for me to download firefox browser and use that to get to techsupport forum instead of going through iexplorer and searchdom every time i need to post or read something? my confidence isnt waining yet im sure we'll do it! heres hoping steve ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\Program Files\Sygate\SPF\smc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 17:59:15, on 03/03/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\atwtusb.exe C:\unzipped\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdom.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdom.net/?re= (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdom.net/?re= (obfuscated) O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta O4 - Startup: Resume Windows Update Installation.lnk = ? O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O13 - DefaultPrefix: http://%77%77%77%2E%73%65%61%72%63%6...%6E%65%74/?re= O13 - WWW Prefix: http://%77%77%77%2E%73%65%61%72%63%6...%6E%65%74/?re= O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
03-03-2005, 12:41 PM
|
#13 (permalink) |
|
Registered User
Join Date: Feb 2005
Location: kent UK
Posts: 157
OS: xp
|
very greatful
vadar
im just very greatful there are guys like you out there willing to help, i really dont know what i would have done without you. im optimistic it will be sorted out, and am awaiting your instructions. thanks to all of you at Techsupport steve |
|
|
|
|
03-04-2005, 06:29 AM
|
#14 (permalink) |
|
Registered User
Join Date: Feb 2005
Location: kent UK
Posts: 157
OS: xp
|
loads of time today
vadar
if youve been checking this , which im sure you have been, i have loads of time today to try your next moves, as the snow has brought me back home again. i know your working hard to find a fix so please dont feel im being pushy. i welcome and await your reply steve |
|
|
|
|
03-04-2005, 08:12 AM
|
#15 (permalink) |
|
Registered User
Join Date: Feb 2005
Location: kent UK
Posts: 157
OS: xp
|
adware search
Hi did an adware search it found these items below - did not delete them waiting for your advice. cheers steve
Lavasoft Ad-Aware Personal Build 1.03 Logfile created on:04 March 2005 14:53:46 Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R28 16.02.2005 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ebates MoneyMaker(TAC index:4):1 total references Elitum.ElitebarBHO(TAC index:5):5 total references istbar(TAC index:6):1 total references MRU List(TAC index:0):40 total references Windows(TAC index:3):2 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» |
|
|
|
|
03-04-2005, 09:21 AM
|
#16 (permalink) |
|
Member
Join Date: Jan 2005
Location: Bristol,uk
Posts: 154
OS: win xp pro
|
Hi Steve,
Run Ad-Aware again and delete what it finds. Run StartDreck with the same options checked. Click on each of the following and hit the Delete button in the program: *NAV Auto Updates=csrssp.exe *rant=rant.exe *runs=run.exe Then do a search for these files and delete them if found: csrssp.exe rant.exe c:\windows\system32\run.exe_>>>>> Have a look to see if run.exe is in the system32 folder. If it is delete it directly. Post your HJT fixes right after the above. |
|
|
|
|
03-04-2005, 10:45 AM
|
#17 (permalink) |
|
Registered User
Join Date: Feb 2005
Location: kent UK
Posts: 157
OS: xp
|
heres the next log
hi vadar - hope your ok
did as you said tried to delete csrssp.exe and this message came up 'cannot delet csrssp: it is being used by another person or program. Close any programs that are using it and try again' did not find run.exe in system32 folder what next??? steve here is the new HJTlog Logfile of HijackThis v1.99.1 Scan saved at 17:42:42, on 04/03/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\carpserv.exe C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE C:\WINDOWS\System32\CTHELPER.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\atwtusb.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\unzipped\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdom.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdom.net/?re= (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdom.net/?re= (obfuscated) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Startup: Resume Windows Update Installation.lnk = ? O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O13 - DefaultPrefix: http://%77%77%77%2E%73%65%61%72%63%6...%6E%65%74/?re= O13 - WWW Prefix: http://%77%77%77%2E%73%65%61%72%63%6...%6E%65%74/?re= O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe |
|
|
|
|
03-04-2005, 12:28 PM
|
#18 (permalink) |
|
Member
Join Date: Jan 2005
Location: Bristol,uk
Posts: 154
OS: win xp pro
|
Hi Steve,
Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): c:\windows\system32\csrssp.exe c:\windows\csrssp.exe Can you please run Ad-aware->>>>Make sure to update Spybot->>>>Make sure to update CWShredder And post new HijackThis and StartDreck log. |
|
|
|
|
03-04-2005, 02:57 PM
|
#19 (permalink) |
|
Registered User
Join Date: Feb 2005
Location: kent UK
Posts: 157
OS: xp
|
done that.......
hi Vadar
i ran kill box and then rebooted before i did the other scans i hope that was right - you didnt specify this but i guessed they needed to be out of the picture for the other logs - i also got a page flash up just before the pc shut down fro 'Lucky dreams .com, an old popup that you helped sort out at the begining??? here are the other logs you asked for the problems are still there steve Logfile of HijackThis v1.99.1 Scan saved at 21:00:12, on 04/03/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\carpserv.exe C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE C:\WINDOWS\System32\CTHELPER.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\atwtusb.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\ctfmon.exe C:\unzipped\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdom.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdom.net/?re= (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdom.net/?re= (obfuscated) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Startup: Resume Windows Update Installation.lnk = ? O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O13 - DefaultPrefix: http://%77%77%77%2E%73%65%61%72%63%6...%6E%65%74/?re= O13 - WWW Prefix: http://%77%77%77%2E%73%65%61%72%63%6...%6E%65%74/?re= O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe StartDreck (build 2.1.7 public stable) - 2005-03-04 @ 21:02:15 (GMT +00:00) Platform: Windows XP (Win NT 5.1.2600 Service Pack 1) Internet Explorer: 6.0.2800.1106 Logged in as Steve at HOME »Registry »Run Keys »Current User »Run *MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background *RemoteCenter=C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE *Steam= *ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe »RunOnce »Default User »Run »RunOnce »Local Machine »Run *ATIPTA=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe *CARPService=carpserv.exe *CTSysVol=C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r *CTDVDDET=C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE *CTHelper=CTHELPER.EXE *AsioReg=REGSVR32.EXE /S CTASIO.DLL *SBDrvDet=C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r *UpdReg=C:\WINDOWS\UpdReg.EXE *PinnacleDriverCheck=C:\WINDOWS\System32\PSDrvCheck.exe *ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" *ccRegVfy="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" *Advanced Tools Check=C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE *atwtusb=atwtusb.exe beta *QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime *SpeedTouch USB Diagnostics="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon *Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMon.exe *SmcService=C:\PROGRA~1\Sygate\SPF\smc.exe -startgui *SSC_UserPrompt=C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe +OptionalComponents +MSFS *Installed=1 +MAPI *Installed=1 *NoChange=1 +MAPI *Installed=1 *NoChange=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat *batfile="%1" %* +.com *comfile="%1" %* +.disabled *SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1" +.exe *exefile="%1" %* +.hta *htafile=C:\WINDOWS\System32\mshta.exe "%1" %* +.htm *htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.html *htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.js *JSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.jse *JSEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.pif *piffile="%1" %* +.reg *regfile=regedit.exe "%1" +.scr *scrfile="%1" /S +.txt *txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 +.vbs *VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.vbe *VBEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.wsh *WSHFile=%SystemRoot%\System32\WScript.exe "%1" %* +.wsf *WSFFile=%SystemRoot%\System32\WScript.exe "%1" %* +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Windows Media Player/>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} *StubPath=C:\WINDOWS\INF\unregmp2.exe /ShowWMP +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c} *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE +Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS *StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE +Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} *StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +Windows Messenger/{5945c046-1e7d-11d1-bc44-00c04fd912be} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser +Microsoft Windows Media Player 8/{6BF52A52-394A-11d3-B153-00C04F79FAA6} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} *StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} *StubPath=%SystemRoot%\system32\ie4uinit.exe »Browser Helper Objects (LM) *{53707962-6F74-2D53-2644-206D7942484F} `InprocServer32=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll »Internet Explorer »Current User *Local Page=C:\WINDOWS\System32\blank.htm *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=http://www.searchdom.net *CustomizeSearch=http://%77%77%77%2E%73%65%61%72%63%68%64%6F%6D%2E%6E%65%74/?re= *SearchAssistant=http://%77%77%77%2E%73%65%61%72%63%68%64%6F%6D%2E%6E%65%74/?re= +SearchUrl *provider= »Default User *Local Page=C:\WINDOWS\System32\blank.htm *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch +SearchUrl *provider= »Local Machine *Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome *Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Local Page=%SystemRoot%\system32\blank.htm *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home *CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm *SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm »ShellServiceObjectDelayLoad (LM) *PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll *CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll *WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll *SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\System32\stobject.dll »Special NT Values »Current User *Load= *Run= *Programs=com exe bat pif cmd *SHELL= »Default User *Load= *Run= *Programs=com exe bat pif cmd *SHELL= »Local Machine *AppInit_DLLs= *SHELL=explorer.exe *Userinit=C:\WINDOWS\system32\userinit.exe, »Files »Autostart Folders »Current User *C:\Documents and Settings\Steve\Start Menu\Programs\Startup\desktop.ini *C:\Documents and Settings\Steve\Start Menu\Programs\Startup\Resume Windows Update Installation.lnk »Default User *C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini »Local Machine *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk »INI-Files »WIN.INI\[windows] *LOAD= *RUN= »SYSTEM.INI\[boot] *SHELL=explorer.exe »Text Files *C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS `[operating systems] `multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect *C:\msdos.sys *C:\config.sys *C:\WINDOWS\System32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 *C:\WINDOWS\wininit.ini `[Rename] `NUL= *C:\WINDOWS\System32\drivers\etc\hosts `127.0.0.1 localhost `127.0.0.1 auto.search.msn.com »Program Files *C:\ntldr *C:\ntdetect.com *C:\io.sys *C:\WINDOWS\System32\win.com *C:\WINDOWS\explorer.exe »%PATH% Companion Files +C:\cxtpls_loader.exe *C:\WINDOWS\System32\cxtpls_loader.exe +C:\WINDOWS\System32\notepad.exe *C:\WINDOWS\NOTEPAD.EXE +C:\WINDOWS\System32\taskman.exe *C:\WINDOWS\TASKMAN.EXE +C:\WINDOWS\System32\winhlp32.exe *C:\WINDOWS\winhlp32.exe »System/Drivers »Running Processes +0=<idle> +4=<system> +600=\SystemRoot\System32\smss.exe +664=\??\C:\WINDOWS\system32\csrss.exe +688=\??\C:\WINDOWS\system32\winlogon.exe +732=C:\WINDOWS\system32\services.exe +744=C:\WINDOWS\system32\lsass.exe +884=C:\WINDOWS\System32\Ati2evxx.exe +908=C:\WINDOWS\system32\svchost.exe +936=C:\WINDOWS\System32\svchost.exe +976=C:\Program Files\Sygate\SPF\smc.exe +1116=C:\WINDOWS\System32\svchost.exe +1208=C:\WINDOWS\System32\svchost.exe +1400=C:\WINDOWS\system32\spoolsv.exe +1428=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe +1580=C:\WINDOWS\System32\alg.exe +1612=C:\WINDOWS\System32\CTsvcCDA.exe +1632=C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe +1696=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe +1744=C:\Program Files\Norton AntiVirus\navapsvc.exe +1772=C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE +1988=C:\WINDOWS\System32\svchost.exe +156=C:\WINDOWS\System32\MsPMSPSv.exe +552=C:\WINDOWS\Explorer.EXE +560=C:\WINDOWS\System32\wbem\wmiprvse.exe +900=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe +1048=C:\WINDOWS\System32\carpserv.exe +1096=C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe +1124=C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE +1132=C:\WINDOWS\System32\CTHELPER.EXE +1240=C:\Program Files\Common Files\Symantec Shared\ccApp.exe +1284=C:\WINDOWS\System32\atwtusb.exe +1324=C:\Program Files\QuickTime\qttask.exe +1352=C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe +1904=C:\Program Files\Messenger\msmsgs.exe +2076=C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE +2148=C:\WINDOWS\System32\ctfmon.exe +2564=C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe +3020=C:\WINDOWS\System32\wuauclt.exe +2724=C:\WINDOWS\System32\ctfmon.exe +3744=C:\WINDOWS\system32\NOTEPAD.EXE +2192=C:\startdrek\StartDreck.exe »NT Services *Alerter Alerter running auto *Application Layer Gateway Service ALG running on demand *Application Management AppMgmt - on demand *ASP.NET State Service aspnet_state - on demand *Ati HotKey Poller Ati HotKey Poller running auto *ATI Smart ATI Smart - auto *Windows Audio AudioSrv running auto *Background Intelligent Transfer Service BITS - on demand *Computer Browser Browser running auto *Symantec Event Manager ccEvtMgr running auto *Symantec Password Validation Service ccPwdSvc - on demand *Indexing Service cisvc - on demand *ClipBook ClipSrv - on demand *COM+ System Application COMSysApp - on demand *Creative Service for CDROM Access Creative Service for running auto *Cryptographic Services CryptSvc running auto *DHCP Client Dhcp running auto *Logical Disk Manager Administrative Service dmadmin - on demand *Logical Disk Manager dmserver - on demand *DNS Client Dnscache running auto *EPSON Printer Status Agent2 EPSONStatusAgent2 running auto *Error Reporting Service ERSvc running auto *Event Log Eventlog running auto *COM+ Event System EventSystem running on demand *Fast User Switching Compatibility FastUserSwitchingCom running on demand *Help and Support helpsvc running auto *Human Interface Device Access HidServ - disabled *IMAPI CD-Burning COM Service ImapiService - on demand *Server lanmanserver running auto *Workstation lanmanworkstation running auto *TCP/IP NetBIOS Helper LmHosts running auto *Machine Debug Manager MDM running auto *Messenger Messenger running auto *NetMeeting Remote Desktop Sharing mnmsrvc - on demand *Distributed Transaction Coordinator MSDTC - on demand *Windows Installer MSIServer - on demand *Norton AntiVirus Auto Protect Service navapsvc running auto *Network DDE NetDDE - on demand *Network DDE DSDM NetDDEdsdm - on demand *Net Logon Netlogon - on demand *Network Connections Netman running on demand *Network Location Awareness (NLA) Nla running on demand *Norton Unerase Protection NProtectService running auto *NT LM Security Support Provider NtLmSsp - on demand *Removable Storage NtmsSvc - on demand *Plug and Play PlugPlay running auto *IPSEC Services PolicyAgent running auto *Protected Storage ProtectedStorage running auto *Remote Access Auto Connection Manager RasAuto - on demand *Remote Access Connection Manager RasMan running on demand *Remote Desktop Help Session Manager RDSessMgr - on demand *Routing and Remote Access RemoteAccess - disabled *Remote Procedure Call (RPC) Locator RpcLocator - on demand *Remote Procedure Call (RPC) RpcSs running auto *QoS RSVP RSVP - on demand *Security Accounts Manager SamSs running auto *ScriptBlocking Service SBService - auto *Smart Card Helper SCardDrv - on demand *Smart Card SCardSvr - on demand *Task Scheduler Schedule running auto *Secondary Logon seclogon running auto *System Event Notification SENS running auto *Internet Connection Firewall (ICF) / Internet C SharedAccess running auto `onnection Sharing (ICS) *Shell Hardware Detection ShellHWDetection running auto *Sygate Personal Firewall SmcService running auto *Symantec Network Drivers Service SNDSrvc - on demand *Print Spooler Spooler running auto *System Restore Service srservice - auto *SSDP Discovery Service SSDPSRV running on demand *Windows Image Acquisition (WIA) stisvc running auto *MS Software Shadow Copy Provider SwPrv - on demand *SymWMI Service SymWSC - auto *Performance Logs and Alerts SysmonLog - on demand *Telephony TapiSrv running on demand *Terminal Services TermService running on demand *Themes Themes running auto *Distributed Link Tracking Client TrkWks running auto *Upload Manager uploadmgr running auto *Universal Plug and Play Device Host upnphost - on demand *Uninterruptible Power Supply UPS - on demand *Volume Shadow Copy VSS - on demand *Windows Time W32Time running auto *WebClient WebClient running auto *Windows Management Instrumentation winmgmt running auto *WMDM PMSP Service WMDM PMSP Service running auto *Portable Media Serial Number WmdmPmSp running auto *WMI Performance Adapter WmiApSrv - on demand *Automatic Updates wuauserv running auto *Wireless Zero Configuration WZCSVC running auto »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User hey vadar what do you think??? steve |
|
|
|
|
03-04-2005, 04:06 PM
|
#20 (permalink) |
|
Member
Join Date: Jan 2005
Location: Bristol,uk
Posts: 154
OS: win xp pro
|
Hi Steve,
Download Hoster (http://www.greyknight17.com/spy/Hoster.exe) and run it. Choose the 'Restore Original Hosts' button and press OK. Reboot into Safe Mode. Run StartDreck again in the same fashion. Highlight these entries one at a time and click on the Delete button: *Start Page=http://www.searchdom.net *CustomizeSearch=http://%77%77%77%2E%73%65%61%72%63%68%64%6F%6D%2E%6E%65%7 4/?re= *SearchAssistant=http://%77%77%77%2E%73%65%61%72%63%68%64%6F%6D%2E%6E%65%7 4/?re= Close StartDreck and reboot. Run KillBox again and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): +C:\cxtpls_loader.exe *C:\WINDOWS\System32\cxtpls_loader.exe Run cleanup again Run new HijackThis scan. . Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. |
|
|
|
| Thread Tools | |
|
|
