|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
11-21-2005, 09:39 AM
|
#1 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 37
OS: win xp he
|
nasty virus
id really appreciate any help with this because my computer is really messed up at the moment after picking up a nasty trojan
i havn't been able to scan it with programs since it is really slow and un responsive....(hardly managed to produce a hjt log) i can't seem to boot up in safe mode either...it just loads up the processes and then does nothing... along with that i keep getting this program 'spy sheriff' loading up and scanning and saying its infected ect...i cant close it no matter how many times i push the x button and end the proccess (with many other suspicious proccesses that cant be closed...such as command.exe) ...i also keep getting popups from everywhere including the desktop...along with all the other crap the virus loaded... so yeah, it looks pretty bad from this end... heres the log... Logfile of HijackThis v1.99.1 Scan saved at 15:20:11, on 21/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\d2F5bmU\command.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton Utilities\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SpySheriff\SpySheriff.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\HijackThis.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AccountLogon] C:\Program Files\AccountLogon\AccountLogon.exe O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe O4 - HKCU\..\Run: [wfzr] C:\PROGRA~1\COMMON~1\wfzr\wfzrm.exe O4 - Startup: World Community Grid Agent.lnk = C:\Program Files\WorldCommunityGrid\UD.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-wayne.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-wayne.html (HKCU) O9 - Extra 'Tools' menuitem: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-wayne.html (HKCU) O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\udlmon.dll O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\elpiblof.dll O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\d2F5bmU\command.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
11-21-2005, 11:21 AM
|
#2 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Hi there and welcome to TSF.
I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time. We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". regards alba |
|
|
|
|
11-21-2005, 12:44 PM
|
#3 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 37
OS: win xp he
|
thanks for your time alba
i disconnected my internet connection and that seemed to stop the pop ups which improved the performance alot which enabled me to run adaware ect which got rid of a lot of junk...i also managed to close and delete that annoying program 'spy sheriff' which kept coming up along with a few others heres a new log... Logfile of HijackThis v1.99.1 Scan saved at 17:37:20, on 21/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\d2F5bmU\command.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton Utilities\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\WorldCommunityGrid\UD.EXE C:\PROGRA~1\COMMON~1\wfzr\wfzra.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\WorldCommunityGrid\ud_3434601.exe C:\Program Files\WorldCommunityGrid\ud_3434601_0.dir\WCGrid_AutoDock.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AccountLogon] C:\Program Files\AccountLogon\AccountLogon.exe O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - Startup: World Community Grid Agent.lnk = C:\Program Files\WorldCommunityGrid\UD.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-wayne.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-wayne.html (HKCU) O9 - Extra 'Tools' menuitem: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-wayne.html (HKCU) O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\udlmon.dll O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\elpiblof.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe |
|
|
|
|
11-21-2005, 02:29 PM
|
#4 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Hello sb_nac0 welcome back to TSF
Please do the following: Download & immediately run - L2MFix.exe Click "Install" to extract the contents to a newly created folder. Close any programs you have open since this step requires a reboot. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then it will ask for a password so please enter bye (lowercase) then hit enter. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log. IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! If after the reboot the log does not open double click on it in the l2mfix folder and post it. If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files. Regards alba |
|
|
|
|
11-22-2005, 01:03 AM
|
#5 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 37
OS: win xp he
|
thanks for your help alba :)
heres the log: Starting Beta Fix 111805 Granting SeDebugPrivilege to L2MFIX ... successful Setting Directory C:\Documents and Settings\wayne\Desktop\l2mfix Running From: C:\Documents and Settings\wayne\Desktop\l2mfix Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 320 'smss.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 400 'winlogon.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1152 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1012 'rundll32.exe' Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Backing Up: C:\WINDOWS\system32\d0j0la1m1d.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\hrju0519e.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\krdhe.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\o4840elqehqe0.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\o648lghu1648.dll 1 file(s) copied. deleting: C:\WINDOWS\system32\d0j0la1m1d.dll Successfully Deleted: C:\WINDOWS\system32\d0j0la1m1d.dll deleting: C:\WINDOWS\system32\hrju0519e.dll Successfully Deleted: C:\WINDOWS\system32\hrju0519e.dll deleting: C:\WINDOWS\system32\krdhe.dll Successfully Deleted: C:\WINDOWS\system32\krdhe.dll deleting: C:\WINDOWS\system32\o4840elqehqe0.dll Successfully Deleted: C:\WINDOWS\system32\o4840elqehqe0.dll deleting: C:\WINDOWS\system32\o648lghu1648.dll Successfully Deleted: C:\WINDOWS\system32\o648lghu1648.dll Desktop.ini sucessfully removed Zipping up files for submission: adding: d0j0la1m1d.dll (deflated 5%) adding: hrju0519e.dll (deflated 5%) adding: krdhe.dll (deflated 5%) adding: o4840elqehqe0.dll (deflated 5%) adding: o648lghu1648.dll (deflated 5%) zip warning: name not matched: *.tmp zip error: Nothing to do! (backup.zip) adding: clear.reg (deflated 22%) adding: desktop.ini (stored 0%) adding: readme.txt (deflated 52%) adding: direct.txt (stored 0%) adding: lo2.txt (deflated 72%) adding: flag.txt (stored 0%) adding: test2.txt (stored 0%) adding: test3.txt (stored 0%) adding: test5.txt (stored 0%) adding: test.txt (deflated 59%) adding: xfind.txt (deflated 53%) adding: backregs/shell.reg (deflated 74%) adding: backregs/36709C39-5595-4703-9152-D99C83502ED4.reg (deflated 70%) Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful Restoring Windows Update Certificates.: deleting local copy: d0j0la1m1d.dll deleting local copy: hrju0519e.dll deleting local copy: krdhe.dll deleting local copy: o4840elqehqe0.dll deleting local copy: o648lghu1648.dll The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] "Asynchronous"=dword:00000000 "DllName"="" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OpenGLdrivers] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\d0j0la1m1d.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" The following are the files found: **************************************************************************** C:\WINDOWS\system32\d0j0la1m1d.dll C:\WINDOWS\system32\hrju0519e.dll C:\WINDOWS\system32\krdhe.dll C:\WINDOWS\system32\o4840elqehqe0.dll C:\WINDOWS\system32\o648lghu1648.dll Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{36709C39-5595-4703-9152-D99C83502ED4}"=- [-HKEY_CLASSES_ROOT\CLSID\{36709C39-5595-4703-9152-D99C83502ED4}] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" **************************************************************************** Desktop.ini Contents: **************************************************************************** [.ShellClassInfo] CLSID={645FF040-5081-101B-9F08-00AA002F954E} **************************************************************************** The user name could not be found. More help is available by typing NET HELPMSG 2221. Checking for L2MFix account: and a new HJT log: Logfile of HijackThis v1.99.1 Scan saved at 08:02:00, on 22/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\WorldCommunityGrid\UD.EXE C:\Program Files\WorldCommunityGrid\ud_3434601.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\Program Files\WorldCommunityGrid\ud_3434601_0.dir\WCGrid_AutoDock.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AccountLogon] C:\Program Files\AccountLogon\AccountLogon.exe O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O4 - Startup: World Community Grid Agent.lnk = C:\Program Files\WorldCommunityGrid\UD.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-wayne.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-wayne.html (HKCU) O9 - Extra 'Tools' menuitem: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-wayne.html (HKCU) O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O20 - Winlogon Notify: OpenGLdrivers - C:\WINDOWS\system32\d0j0la1m1d.dll (file missing) O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\elpiblof.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe |
|
|
|
|
11-22-2005, 08:35 AM
|
#6 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Hello again sb_nac0
Please read through the instructions carefully before starting the fix. =============================================== Please download these additional files/programs. Do not run them until instructed to do so. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates: Ad-Aware SE Setup Don't run it yet! Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/ Please read Ewido Setup Instructions Install it, and update the definitions to the newest files. Do NOT run a scan yet. Please download smitRem.exe and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop. Place a shortcut to Panda ActiveScan on your desktop. =============================================== 'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise. If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below. =============================================== Fix IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. Go to Start > Run - type this in & click OK C:\Documents and Settings\wayne\Desktop\l2mfix\regfixes\winlogondefaults.reg =============================================== Run a scan with HiJackThis & select/tick the following & click "Fix checked" : R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O20 - Winlogon Notify: OpenGLdrivers - C:\WINDOWS\system32\d0j0la1m1d.dll (file missing) O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\elpiblof.dll Please remember to close all other windows, including browsers then click Fix checked. =============================================== Next, reboot your computer in SafeMode :
If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options> View tab.
Locate and delete the following files:
=============================================== Open Ad-aware and do a full scan. Remove all it finds.pen Ad-aware and do a full scan. Remove all it finds. Run Ewido:
Close Ewido Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. =============================================== Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present. Click the Panda ActiveScan shortcut. - Once you are on the Panda site click the Scan your PC button - A new window will open...click the Check Now button - Enter your Country - Enter your State/Province - Enter your e-mail address and click send - Select either Home User or Company - Click the big Scan Now button - If it wants to install an ActiveX component allow it - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) - When download is complete, click on Local Disks to start the scan - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply. Reboot to normal =============================================== In your next post, please include fresh logs from:
Regards alba |
|
|
|
|
11-22-2005, 12:33 PM
|
#7 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 37
OS: win xp he
|
ok, i have done that successfully however i had to do the active scan in normal mode for my internet to work...
here are the logs: Logfile of HijackThis v1.99.1 Scan saved at 19:22:44, on 22/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Norton Utilities\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WorldCommunityGrid\UD.EXE C:\Program Files\WorldCommunityGrid\ud_3434601.exe C:\Program Files\WorldCommunityGrid\ud_3434601_0.dir\WCGrid_AutoDock.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/ O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AccountLogon] C:\Program Files\AccountLogon\AccountLogon.exe O4 - Startup: World Community Grid Agent.lnk = C:\Program Files\WorldCommunityGrid\UD.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-wayne.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-wayne.html (HKCU) O9 - Extra 'Tools' menuitem: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-wayne.html (HKCU) O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 18:37:08, 22/11/2005 + Report-Checksum: 4994902D + Scan result: C:\Documents and Settings\wayne\Desktop\l2mfix\backup.zip/hrju0519e.dll -> Spyware.Look2Me : Ignored C:\Documents and Settings\wayne\Desktop\l2mfix\backup.zip/krdhe.dll -> Spyware.Look2Me : Ignored C:\Documents and Settings\wayne\Desktop\l2mfix\backup.zip/o4840elqehqe0.dll -> Spyware.Look2Me : Ignored C:\Documents and Settings\wayne\Desktop\l2mfix\backup.zip/o648lghu1648.dll -> Spyware.Look2Me : Ignored :mozilla.9:C:\Documents and Settings\wayne\Application Data\Mozilla\Firefox\Profiles\default.tnz\cookies.txt -> Spyware.Cookie.Doubleclick : Ignored :mozilla.13:C:\Documents and Settings\wayne\Application Data\Mozilla\Firefox\Profiles\default.tnz\cookies.txt -> Spyware.Cookie.Tribalfusion : Ignored :mozilla.14:C:\Documents and Settings\wayne\Application Data\Mozilla\Firefox\Profiles\default.tnz\cookies.txt -> Spyware.Cookie.Atdmt : Ignored :mozilla.19:C:\Documents and Settings\wayne\Application Data\Mozilla\Firefox\Profiles\default.tnz\cookies.txt -> Spyware.Cookie.Mediaplex : Ignored :mozilla.20:C:\Documents and Settings\wayne\Application Data\Mozilla\Firefox\Profiles\default.tnz\cookies.txt -> Spyware.Cookie.Yieldmanager : Ignored :mozilla.21:C:\Documents and Settings\wayne\Application Data\Mozilla\Firefox\Profiles\default.tnz\cookies.txt -> Spyware.Cookie.Yieldmanager : Ignored :mozilla.22:C:\Documents and Settings\wayne\Application Data\Mozilla\Firefox\Profiles\default.tnz\cookies.txt -> Spyware.Cookie.Yieldmanager : Ignored :mozilla.23:C:\Documents and Settings\wayne\Application Data\Mozilla\Firefox\Profiles\default.tnz\cookies.txt -> Spyware.Cookie.Yieldmanager : Ignored HKLM\SOFTWARE\Classes\CLSID\{0140DF95-9128-4053-AE72-F43F0CFCA062} -> Spyware.PolyFilter : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects - Google Desktop Search Backup\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup HKU\S-1-5-21-117609710-2111687655-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0140DF95-9128-4053-AE72-F43F0CFCA062} -> Spyware.PolyFilter : Cleaned with backup [1152] C:\WINDOWS\system32\child.dll -> TrojanDownloader.Small.bug : Cleaned with backup C:\WINDOWS\SYSTEM32\SiKernel.dll -> Spyware.SiKernel : Cleaned with backup C:\WINDOWS\SYSTEM32\mspostsp.exe -> Trojan.Inject.i : Cleaned with backup C:\WINDOWS\SYSTEM32\paytime.exe -> Spyware.Hijacker.Generic : Cleaned with backup C:\WINDOWS\SYSTEM32\damhhcme.exe -> TrojanDropper.Small.afo : Cleaned with backup C:\WINDOWS\SYSTEM32\child.dll -> TrojanDownloader.Small.bug : Cleaned with backup C:\WINDOWS\SYSTEM32\chke.dll -> TrojanDownloader.Small.bxa : Cleaned with backup C:\WINDOWS\SYSTEM32\msupdate32.dll -> TrojanDownloader.Agent.aab : Cleaned with backup C:\WINDOWS\TEMP\Cookies\wayne@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\WINDOWS\kl.exe -> TrojanDropper.Agent.abo : Cleaned with backup C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Renos.z : Cleaned with backup C:\WINDOWS\tool1.exe -> TrojanDownloader.Small.bnt : Cleaned with backup C:\WINDOWS\tool3.exe -> TrojanDropper.Agent.abu : Cleaned with backup C:\WINDOWS\ms1.exe -> TrojanDownloader.Small.buh : Cleaned with backup C:\WINDOWS\timessquare.exe -> Spyware.Hijacker.StartPage.aw : Cleaned with backup C:\WINDOWS\adtech2005.exe -> Trojan.VB.afn : Cleaned with backup C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> TrojanSpy.Small.dg : Cleaned with backup C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> TrojanSpy.Small.dg : Cleaned with backup C:\Program Files\Common Files\wfzr\wfzrm.exe -> TrojanDownloader.TSUpdate.n : Cleaned with backup C:\Program Files\Common Files\wfzr\wfzra.exe -> TrojanDownloader.TSUpdate.l : Cleaned with backup C:\Documents and Settings\wayne\Local Settings\Temp\Cookies\wayne@adopt.euroclick[2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup C:\Documents and Settings\wayne\Local Settings\Temp\Cookies\wayne@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\wayne\Local Settings\Temp\Cookies\wayne@cz7.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup C:\Documents and Settings\wayne\Local Settings\Temp\Cookies\wayne@e-2dj6wjlosgczmkp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\wayne\Local Settings\Temp\Cookies\wayne@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\wayne\Desktop\l2mfix\backup.zip/d0j0la1m1d.dll -> Spyware.Look2Me : Error during cleaning C:\Documents and Settings\wayne\Cookies\wayne@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\drsmartload1.exe -> Spyware.SmartLoad : Cleaned with backup C:\installer.exe -> Spyware.Look2Me : Cleaned with backup C:\contextplus.exe -> Trojan.Crypt.t : Cleaned with backup C:\mte3ndi6odoxng.exe -> TrojanDownloader.Small.buy : Cleaned with backup ::Report End smitRem © log file version 2.7 by noahdfear Microsoft Windows XP [Version 5.1.2600] The current date is: 22/11/2005 The current time is: 18:39:44.03 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ Install.dat ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN! :) active scan: Incident Status Location Adware:adware/superspider Not desinfected C:\WINDOWS\SYSTEM\system.exe Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts Adware:Adware/Sqwire Not desinfected C:\WINDOWS\SYSTEM32\tsuninst.exe Adware:adware/cws.searchmeup Not desinfected C:\WINDOWS\tool4.exe Adware:Adware/Secure32 Not desinfected C:\WINDOWS\secure32.html Virus:W32/Mops.A.worm Disinfected C:\WINDOWS\winext.exe Adware:Adware/Sqwire Not desinfected C:\Program Files\Common Files\wfzr\wfzrl.exe Adware:Adware/Sqwire Not desinfected C:\Program Files\Common Files\wfzr\wfzrp.exe Adware:Adware/Sqwire Not desinfected C:\Program Files\Common Files\wfzr\wfzrd\wfzrc.dll Adware:Adware/Look2Me Not desinfected C:\Documents and Settings\wayne\Desktop\l2mfix\backup.zip[d0j0la1m1d.dll] Adware:Adware/Look2Me Not desinfected C:\Documents and Settings\wayne\Desktop\l2mfix\backup.zip[hrju0519e.dll] Adware:Adware/Look2Me Not desinfected C:\Documents and Settings\wayne\Desktop\l2mfix\backup.zip[krdhe.dll] Adware:Adware/Look2Me Not desinfected C:\Documents and Settings\wayne\Desktop\l2mfix\backup.zip[o4840elqehqe0.dll] Adware:Adware/Look2Me Not desinfected C:\Documents and Settings\wayne\Desktop\l2mfix\backup.zip[o648lghu1648.dll] Virus:Exploit/ByteVerify Renamed C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-780c7848.zip[Dummy.class] Virus:Exploit/ByteVerify Renamed C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv515.jar-664ae3ae-3088066d.zip[Dummy.class] Virus:Exploit/ByteVerify Renamed C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv404.jar-2fa1b84d-50c8e883.zip[Dummy.class] Virus:Exploit/ByteVerify Renamed C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv407.jar-2fcbfed0-6b10ff62.zip[Dummy.class] Virus:Exploit/ByteVerify Renamed C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv160.jar-121c520f-4727b612.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-29517b42-2e41c601.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-655c56ee-33a7d8bb.zip[BlackBox.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-655c56ee-33a7d8bb.zip[VerifierBug.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-655c56ee-33a7d8bb.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-655c56ee-33a7d8bb.zip[Beyond.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-7b1a6bc9-53192953.zip[GetAccess.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-7b1a6bc9-53192953.zip[InsecureClassLoader.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-7b1a6bc9-53192953.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-7b1a6bc9-53192953.zip[Installer.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-68717ba7-4f0531fd.zip[BlackBox.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-68717ba7-4f0531fd.zip[VerifierBug.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-68717ba7-4f0531fd.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-68717ba7-4f0531fd.zip[Beyond.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bdf1f78-1bd575ef.zip[NewSecurityClassLoader.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bdf1f78-1bd575ef.zip[NewURLClassLoader.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv432.jar-6955993c-2a0d3dc2.zip[Matrix.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv432.jar-6955993c-2a0d3dc2.zip[Counter.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv432.jar-6955993c-2a0d3dc2.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv432.jar-6955993c-2a0d3dc2.zip[Parser.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv698.jar-e49f9eb-200e2006.zip[Matrix.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv698.jar-e49f9eb-200e2006.zip[Counter.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv698.jar-e49f9eb-200e2006.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\wayne\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv698.jar-e49f9eb-200e2006.zip[Parser.class] Adware:Adware/WUpd Not desinfected C:\HJT\backups\backup-20040916-181312-921.inf Adware:Adware/Secure32 Not desinfected C:\secure32.html Adware:Adware/Sqwire Not desinfected C:\stub_113_4_0_4_0.exe |
|
|
|
|
11-23-2005, 01:29 AM
|
#8 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Hello again sb_nac0
Please read through the instructions carefully before starting the fix. Locate and delete the following folders, if present:
Locate and delete the following files:
========================================= Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here. In your next post, please include fresh logs from:
Regards alba |
|
|
|
|
11-23-2005, 10:10 AM
|
#9 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 37
OS: win xp he
|
ok...ive done that without too many problems...just 2 things..
-i couldn't find 'C:\WINDOWS\winext.exe' -i came across a file 'degbes.exe' in the windows folder by accident which happened to have been created at the same time and date as the other files and looked bad when i typed it into google so i deleted that one along with the others.. the computer seems to be behaving as far as i can see but still get the odd pop-up now and then which is definately not coming from the sites im visiting but not as often as before so there must be something still lurking in the background.... another thing that seems weird is when i type a site eg. www.google.com in the address bar and hit enter or press 'go' it does nothing and then suddenly loads about twenty seconds later...this definately wasn't happening before it got infected...when i click on a site from favorites or from the drop down box in the address bar however, the site loads normally...im not sure if it is adware related or something else...(this only happens in internet explorer) Started Scanning Internet Cookies Found 'doubleclick.net' in 'Internet Explorer Cache' Programs in Memory Windows Registry Internet URL Shortcuts Files and Directories Finished Scanning Started Backup Finished Backup Started Cleaning Finished Cleaning Logfile of HijackThis v1.99.1 Scan saved at 16:59:18, on 23/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\WorldCommunityGrid\UD.EXE C:\Program Files\WorldCommunityGrid\ud_3434601.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton Utilities\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WorldCommunityGrid\ud_3434601_0.dir\WCGrid_AutoDock.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/ O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AccountLogon] C:\Program Files\AccountLogon\AccountLogon.exe O4 - Startup: World Community Grid Agent.lnk = C:\Program Files\WorldCommunityGrid\UD.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-wayne.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-wayne.html (HKCU) O9 - Extra 'Tools' menuitem: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-wayne.html (HKCU) O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Last edited by sb_nac0; 11-23-2005 at 10:24 AM. |
|
|
|
|
11-24-2005, 08:20 AM
|
#10 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Hi again
Sorry for the delay I am having problems logging in, any way we are nearly finished. Thank you for your patience Please read through the instructions carefully before starting the fix. Download Hoster and run it. Choose the 'Restore Original Hosts' button and press OK. Download StartDreck Unzip to its own folder =============================================== 'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING Run Hoster Choose the 'Restore Original Hosts' button and press OK. Start StartDreck: Press 'Config' Press 'Unmark All' Check the following boxes only: Registry -> Run Keys System/drivers> Running processes Press 'Ok' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. Regards alba |
|
|
|
|
11-24-2005, 09:46 AM
|
#11 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 37
OS: win xp he
|
StartDreck (build 2.1.7 public stable) - 2005-11-24 @ 16:44:15 (GMT +00:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2) Internet Explorer: 6.0.2900.2180 Logged in as wayne at WAYNE »Registry »Run Keys »Current User »Run *ctfmon.exe=C:\WINDOWS\system32\ctfmon.exe *MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background *AccountLogon=C:\Program Files\AccountLogon\AccountLogon.exe »RunOnce »Default User »Run »RunOnce »Local Machine »Run *SystemTray=SysTray.Exe *NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup +OptionalComponents +MSFS *Installed=1 +MAPI *Installed=1 *NoChange=1 +MAPI *Installed=1 *NoChange=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »Files »System/Drivers »Running Processes +0=<idle> +4=<system> +340=\SystemRoot\System32\smss.exe +388=\??\C:\WINDOWS\system32\csrss.exe +412=\??\C:\WINDOWS\system32\winlogon.exe +456=C:\WINDOWS\system32\services.exe +468=C:\WINDOWS\system32\lsass.exe +612=C:\WINDOWS\system32\svchost.exe +660=C:\WINDOWS\system32\svchost.exe +700=C:\WINDOWS\System32\svchost.exe +740=C:\WINDOWS\System32\svchost.exe +848=C:\WINDOWS\System32\svchost.exe +940=C:\WINDOWS\system32\spoolsv.exe +1168=C:\WINDOWS\Explorer.EXE +1312=C:\WINDOWS\system32\ctfmon.exe +1328=C:\Program Files\Messenger\msmsgs.exe +1408=C:\Program Files\WorldCommunityGrid\UD.EXE +1504=C:\Program Files\WorldCommunityGrid\ud_3434601.exe +1552=C:\Program Files\ewido\security suite\ewidoctrl.exe +1576=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe +1604=C:\Program Files\Norton Utilities\NPROTECT.EXE +1684=C:\WINDOWS\System32\nvsvc32.exe +1768=C:\WINDOWS\System32\svchost.exe +1844=C:\WINDOWS\system32\wdfmgr.exe +1052=C:\WINDOWS\System32\alg.exe +796=C:\Program Files\WorldCommunityGrid\ud_3434601_0.dir\WCGrid_AutoDock.exe +3652=C:\Program Files\Mozilla Firefox\firefox.exe +3708=C:\Documents and Settings\wayne\Desktop\Hoster.exe +3808=C:\Documents and Settings\wayne\Desktop\New Folder\StartDreck.exe »Application specific |
|
|
|
|
11-24-2005, 01:12 PM
|
#12 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Hello again sb_nac0
How is it when typing in "www.google.com". does it still hang? Unfortunately the startdreck log is not complete can you do the following again Start StartDreck: Press 'Config' Press 'Unmark All' Check the following boxes only: Registry -> Run Keys System/drivers> Running processes Press 'Ok' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. Regards alba __________ |
|
|
|
|
11-25-2005, 01:41 AM
|
#13 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 37
OS: win xp he
|
here is the log again...i definately didn't miss anything this time (saying that, im sure i didn't miss anything last time)
and yes, it's still hanging unfortunately.. StartDreck (build 2.1.7 public stable) - 2005-11-25 @ 08:31:18 (GMT +00:00) Platform: Windows XP (Win NT 5.1.2600 Service Pack 2) Internet Explorer: 6.0.2900.2180 Logged in as wayne at WAYNE »Registry »Run Keys »Current User »Run *ctfmon.exe=C:\WINDOWS\system32\ctfmon.exe *MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background *AccountLogon=C:\Program Files\AccountLogon\AccountLogon.exe »RunOnce »Default User »Run »RunOnce »Local Machine »Run *SystemTray=SysTray.Exe *NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup +OptionalComponents +MSFS *Installed=1 +MAPI *Installed=1 *NoChange=1 +MAPI *Installed=1 *NoChange=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »Files »System/Drivers »Running Processes +0=<idle> +4=<system> +332=\SystemRoot\System32\smss.exe +388=\??\C:\WINDOWS\system32\csrss.exe +412=\??\C:\WINDOWS\system32\winlogon.exe +456=C:\WINDOWS\system32\services.exe +468=C:\WINDOWS\system32\lsass.exe +612=C:\WINDOWS\system32\svchost.exe +660=C:\WINDOWS\system32\svchost.exe +696=C:\WINDOWS\System32\svchost.exe +740=C:\WINDOWS\System32\svchost.exe +828=C:\WINDOWS\System32\svchost.exe +932=C:\WINDOWS\system32\spoolsv.exe +1168=C:\WINDOWS\Explorer.EXE +1308=C:\WINDOWS\system32\ctfmon.exe +1316=C:\Program Files\Messenger\msmsgs.exe +1376=C:\Program Files\WorldCommunityGrid\UD.EXE +1520=C:\Program Files\ewido\security suite\ewidoctrl.exe +1528=C:\Program Files\WorldCommunityGrid\ud_3434601.exe +1568=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe +1592=C:\Program Files\Norton Utilities\NPROTECT.EXE +1672=C:\WINDOWS\System32\nvsvc32.exe +1768=C:\WINDOWS\System32\svchost.exe +1832=C:\WINDOWS\system32\wdfmgr.exe +500=C:\WINDOWS\System32\alg.exe +1156=C:\Program Files\WorldCommunityGrid\ud_3434601_0.dir\WCGrid_AutoDock.exe +3408=C:\Documents and Settings\wayne\Desktop\New Folder\StartDreck.exe »Application specific |
|
|
|
|
11-25-2005, 06:44 AM
|
#14 (permalink) |
|
Moderator, Microsoft Support
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,482
OS: XP SP2
|
Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip
Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Running Process -> List Modules System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread.
__________________
  |
|
|
|
|
11-25-2005, 07:51 AM
|
#15 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
HiYa sb_nac0
You have the patience of a saint Unfortunately my instructions were slightly wrong  Please follow the new instructions below. I apologies for the mistake Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Running Process -> List Modules System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. Kind regards alba Last edited by alba; 11-25-2005 at 07:52 AM. |
|
|
|
|
11-26-2005, 04:24 AM
|
#16 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 37
OS: win xp he
|
StartDreck (build 2.1.7 public stable) - 2005-11-26 @ 10:23:25 (GMT +00:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2) Internet Explorer: 6.0.2900.2180 Logged in as wayne at WAYNE »Registry »Run Keys »Current User »Run *ctfmon.exe=C:\WINDOWS\system32\ctfmon.exe *MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background *AccountLogon=C:\Program Files\AccountLogon\AccountLogon.exe »RunOnce »Default User »Run »RunOnce »Local Machine »Run *SystemTray=SysTray.Exe *NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup +OptionalComponents +MSFS *Installed=1 +MAPI *Installed=1 *NoChange=1 +MAPI *Installed=1 *NoChange=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat *batfile="%1" %* +.com *comfile="%1" %* +.disabled *SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1" +.exe *exefile="%1" %* +.hta *htafile=C:\WINDOWS\System32\mshta.exe "%1" %* +.htm *htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.html *htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.js *JSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.jse *JSEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.pif *piffile="%1" %* +.reg *regfile=regedit.exe "%1" +.scr *scrfile="%1" /S +.txt *txtfile=C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\notepad.exe %1 +.vbs *VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.vbe *VBEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.wsh *WSHFile=%SystemRoot%\System32\WScript.exe "%1" %* +.wsf *WSFFile=%SystemRoot%\System32\WScript.exe "%1" %* +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c} *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE +Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS *StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} *StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278} *StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf +Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} *StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} *StubPath=%SystemRoot%\system32\ie4uinit.exe +Power Policy Settings/{CA0A4247-44BE-11d1-A005-00805F8ABE06} *StubPath=RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf »Browser Helper Objects (LM) »Internet Explorer »Current User *Default_Search_URL= *Local Page=C:\WINDOWS\SYSTEM32\blank.htm *Search Bar=http://search.msn.com/spbasic.htm *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=http://www.msn.co.uk/ +SearchUrl *provider=gogl *=http://www.google.com/keyword/%s »Default User *First Home Page=http://www.microsoft.com/isapi/redir.dll?prd=windows98&clcid=&pver=4.10&ar=runonce *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=http://www.msn.com +SearchUrl *provider= »Local Machine *Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Local Page=C:\WINDOWS\SYSTEM32\blank.htm *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=about:blank *CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm *SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm »ShellServiceObjectDelayLoad (LM) *PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll *CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll *WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll *SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\System32\stobject.dll »Special NT Values »Current User *Load= *Run= *Programs=com exe bat pif cmd *SHELL= »Default User *Load= *Run= *Programs=com exe bat pif cmd *SHELL= »Local Machine *AppInit_DLLs= *SHELL=explorer.exe *Userinit=C:\WINDOWS\system32\userinit.exe, »Files »Autostart Folders »Current User *C:\Documents and Settings\wayne\Start Menu\Programs\Startup\desktop.ini *C:\Documents and Settings\wayne\Start Menu\Programs\Startup\World Community Grid Agent.lnk »Default User *C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini »Local Machine *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini »INI-Files »WIN.INI\[windows] *LOAD= *RUN= »SYSTEM.INI\[boot] *SHELL=explorer.exe »Text Files *C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0 `[operating systems] `multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Professional" /fastdetect `multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn *C:\msdos.sys `;FORMAT `[Paths] `WinDir=C:\WINDOWS `WinBootDir=C:\WINDOWS `HostWinBootDrv=C `[Options] `BootMulti=1 `BootGUI=1 `DoubleBuffer=1 `AutoScan=1 `WinVer=4.10.2222 `; `;The following lines are required for compatibility with other programs. `;Do not remove them (MSDOS.SYS needs to be >1024 bytes). `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs *C:\config.sys *C:\WINDOWS\system32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 *C:\autoexec.bat *C:\WINDOWS\wininit.ini `[Rename] `NUL=C:\PROGRA~1\INTERN~2\sim\bdl14122.exe *C:\WINDOWS\system32\drivers\etc\hosts `127.0.0.1 localhost »Program Files *C:\ntldr *C:\ntdetect.com *C:\io.sys *C:\WINDOWS\system32\win.com *C:\WINDOWS\explorer.exe »%PATH% Companion Files +C:\mssys.com *C:\WINDOWS\mssys.com +C:\ntldr.exe *C:\WINDOWS\ntldr.exe +C:\WINDOWS\system32\taskman.exe *C:\WINDOWS\TASKMAN.EXE +C:\WINDOWS\system32\winhlp32.exe *C:\WINDOWS\winhlp32.exe +C:\WINDOWS\system32\slrundll.exe *C:\WINDOWS\slrundll.exe +C:\WINDOWS\system32\clspack.exe *C:\WINDOWS\CLSPACK.EXE »System/Drivers »Running Processes +0=<idle> +4=<system> +320=\SystemRoot\System32\smss.exe +376=\??\C:\WINDOWS\system32\csrss.exe +400=\??\C:\WINDOWS\system32\winlogon.exe +444=C:\WINDOWS\system32\services.exe +456=C:\WINDOWS\system32\lsass.exe +600=C:\WINDOWS\system32\svchost.exe +648=C:\WINDOWS\system32\svchost.exe +688=C:\WINDOWS\System32\svchost.exe +736=C:\WINDOWS\System32\svchost.exe +784=C:\WINDOWS\System32\svchost.exe +916=C:\WINDOWS\system32\spoolsv.exe +1156=C:\WINDOWS\Explorer.EXE +1280=C:\WINDOWS\system32\ctfmon.exe +1288=C:\Program Files\Messenger\msmsgs.exe +1336=C:\Program Files\WorldCommunityGrid\UD.EXE +1400=C:\Program Files\WorldCommunityGrid\ud_3434601.exe +1464=C:\Program Files\ewido\security suite\ewidoctrl.exe +1488=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe +1516=C:\Program Files\Norton Utilities\NPROTECT.EXE +1572=C:\WINDOWS\System32\nvsvc32.exe +1680=C:\WINDOWS\System32\svchost.exe +1752=C:\WINDOWS\system32\wdfmgr.exe +712=C:\WINDOWS\System32\alg.exe +1016=C:\Program Files\WorldCommunityGrid\ud_3434601_0.dir\WCGrid_AutoDock.exe +2488=C:\Documents and Settings\wayne\Desktop\New Folder\StartDreck.exe +1300=C:\Program Files\Mozilla Firefox\firefox.exe »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User |
|
|
|
|
11-27-2005, 03:19 AM
|
#17 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Hello sb_nac0
Please read through the instructions carefully before starting the fix. You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please make sure you have an ACTIVE internet connection as the tool will need to download additional files and a program. Please download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe http://swandog46.geekstogo.com/Fixwareout.exe Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is NORMAL. When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and save the log. At the end of the fix, you may need to restart your computer again. Run StartDreck with the same options Selected like before. Click on each of the following and hit the Delete button in the program:
From Control Panel->Add/Remove Programs, uninstall the following programs, if present, :
Locate and delete the following folders, if present:
Finally, please post the contents of the logfile C:fixwareoutreport.txt, along with a new HijackThis log. regards alba |
|
|
|
|
11-27-2005, 03:25 AM
|
#18 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
Hello sb_nac0
Please read through the instructions carefully before starting the fix. From Control Panel->Add/Remove Programs, uninstall the following programs, if present, :
=============================================== You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please make sure you have an ACTIVE internet connection as the tool will need to download additional files and a program. Please download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe http://swandog46.geekstogo.com/Fixwareout.exe Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is NORMAL. When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and save the log. At the end of the fix, you may need to restart your computer again. =============================================== Run StartDreck with the same options Selected like before. Click on each of the following and hit the Delete button in the program:
Locate and delete the following folders, if present:
Finally, please post the contents of the logfile C:fixwareoutreport.txt, along with a new HijackThis log and Startdreck log. regards alba |
|
|
|
|
11-27-2005, 04:58 AM
|
#19 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 37
OS: win xp he
|
just a few points when following the intructions
- 'Internet Optimiser' was not found under add/remove programs or program files - the fixwareout didn't do 'You will be asked to reboot your computer....' onwards. It just finished what it was doing and came up with a log - when i selected '`NUL=C:\PROGRA~1\INTERN~2\sim\bdl14122.exe' , the delete button was greyed out -ie no longer hangs Check for missing files ..... C:\WINDOWS\system32\AUTOEXEC.NT not there ..... End check for missing files ..... VXD Check REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers] "VDD"=hex(7):43,3a,5c,50,52,4f,47,52,41,7e,31,5c,53,79,6d,61,6e,74,65,63,5c,53,\ 33,32,45,56,4e,54,31,2e,44,4c,4c,00,00 ..... End vxd check ..... please post this at the forum Logfile of HijackThis v1.99.1 Scan saved at 10:49:56, on 27/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\WorldCommunityGrid\UD.EXE C:\Program Files\WorldCommunityGrid\ud_3434601.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton Utilities\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WorldCommunityGrid\ud_3434601_0.dir\WCGrid_AutoDock.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/ O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AccountLogon] C:\Program Files\AccountLogon\AccountLogon.exe O4 - Startup: World Community Grid Agent.lnk = C:\Program Files\WorldCommunityGrid\UD.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-wayne.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-wayne.html (HKCU) O9 - Extra 'Tools' menuitem: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-wayne.html (HKCU) O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe StartDreck (build 2.1.7 public stable) - 2005-11-27 @ 10:37:04 (GMT +00:00) Platform: Windows XP (Win NT 5.1.2600 Service Pack 2) Internet Explorer: 6.0.2900.2180 Logged in as wayne at WAYNE »Registry »Run Keys »Current User »Run *ctfmon.exe=C:\WINDOWS\system32\ctfmon.exe *MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background *AccountLogon=C:\Program Files\AccountLogon\AccountLogon.exe »RunOnce »Default User »Run »RunOnce »Local Machine »Run *SystemTray=SysTray.Exe *NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup +OptionalComponents +MSFS *Installed=1 +MAPI *Installed=1 *NoChange=1 +MAPI *Installed=1 *NoChange=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat *batfile="%1" %* +.com *comfile="%1" %* +.disabled *SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1" +.exe *exefile="%1" %* +.hta *htafile=C:\WINDOWS\System32\mshta.exe "%1" %* +.htm *htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.html *htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.js *JSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.jse *JSEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.pif *piffile="%1" %* +.reg *regfile=regedit.exe "%1" +.scr *scrfile="%1" /S +.txt *txtfile=C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\notepad.exe %1 +.vbs *VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.vbe *VBEFile=%SystemRoot%\System32\WScript.exe "%1" %* +.wsh *WSHFile=%SystemRoot%\System32\WScript.exe "%1" %* +.wsf *WSFFile=%SystemRoot%\System32\WScript.exe "%1" %* +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c} *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE +Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS *StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} *StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} *StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278} *StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf +Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} *StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} *StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} *StubPath=%SystemRoot%\system32\ie4uinit.exe +Power Policy Settings/{CA0A4247-44BE-11d1-A005-00805F8ABE06} *StubPath=RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf »Browser Helper Objects (LM) »Internet Explorer »Current User *Default_Search_URL= *Local Page=C:\WINDOWS\SYSTEM32\blank.htm *Search Bar=http://search.msn.com/spbasic.htm *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=http://www.msn.co.uk/ +SearchUrl *provider=gogl *=http://www.google.com/keyword/%s »Default User *First Home Page=http://www.microsoft.com/isapi/redir.dll?prd=windows98&clcid=&pver=4.10&ar=runonce *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=http://www.msn.com +SearchUrl *provider= »Local Machine *Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Local Page=C:\WINDOWS\SYSTEM32\blank.htm *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=about:blank *CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm *SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm »ShellServiceObjectDelayLoad (LM) *PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll *CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll *WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll *SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\System32\stobject.dll »Special NT Values »Current User *Load= *Run= *Programs=com exe bat pif cmd *SHELL= »Default User *Load= *Run= *Programs=com exe bat pif cmd *SHELL= »Local Machine *AppInit_DLLs= *SHELL=explorer.exe *Userinit=C:\WINDOWS\system32\userinit.exe, »Files »Autostart Folders »Current User *C:\Documents and Settings\wayne\Start Menu\Programs\Startup\desktop.ini *C:\Documents and Settings\wayne\Start Menu\Programs\Startup\World Community Grid Agent.lnk »Default User *C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini »Local Machine *C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini »INI-Files »WIN.INI\[windows] *LOAD= *RUN= »SYSTEM.INI\[boot] *SHELL=explorer.exe »Text Files *C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0 `[operating systems] `multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Professional" /fastdetect `multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn *C:\msdos.sys `;FORMAT `[Paths] `WinDir=C:\WINDOWS `WinBootDir=C:\WINDOWS `HostWinBootDrv=C `[Options] `BootMulti=1 `BootGUI=1 `DoubleBuffer=1 `AutoScan=1 `WinVer=4.10.2222 `; `;The following lines are required for compatibility with other programs. `;Do not remove them (MSDOS.SYS needs to be >1024 bytes). `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs *C:\config.sys *C:\WINDOWS\system32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 *C:\autoexec.bat *C:\WINDOWS\wininit.ini `[Rename] `NUL=C:\PROGRA~1\INTERN~2\sim\bdl14122.exe *C:\WINDOWS\system32\drivers\etc\hosts `127.0.0.1 localhost »Program Files *C:\ntldr *C:\ntdetect.com *C:\io.sys *C:\WINDOWS\system32\win.com *C:\WINDOWS\explorer.exe »%PATH% Companion Files +C:\ntldr.exe *C:\WINDOWS\ntldr.exe +C:\WINDOWS\system32\taskman.exe *C:\WINDOWS\TASKMAN.EXE +C:\WINDOWS\system32\winhlp32.exe *C:\WINDOWS\winhlp32.exe +C:\WINDOWS\system32\slrundll.exe *C:\WINDOWS\slrundll.exe +C:\WINDOWS\system32\clspack.exe *C:\WINDOWS\CLSPACK.EXE »System/Drivers »Running Processes +0=<idle> +4=<system> +320=\SystemRoot\System32\smss.exe +376=\??\C:\WINDOWS\system32\csrss.exe +400=\??\C:\WINDOWS\system32\winlogon.exe +444=C:\WINDOWS\system32\services.exe +456=C:\WINDOWS\system32\lsass.exe +600=C:\WINDOWS\system32\svchost.exe +648=C:\WINDOWS\system32\svchost.exe +684=C:\WINDOWS\System32\svchost.exe +728=C:\WINDOWS\System32\svchost.exe +784=C:\WINDOWS\System32\svchost.exe +920=C:\WINDOWS\system32\spoolsv.exe +1152=C:\WINDOWS\Explorer.EXE +1276=C:\WINDOWS\system32\ctfmon.exe +1292=C:\Program Files\Messenger\msmsgs.exe +1332=C:\Program Files\WorldCommunityGrid\UD.EXE +1400=C:\Program Files\WorldCommunityGrid\ud_3434601.exe +1460=C:\Program Files\ewido\security suite\ewidoctrl.exe +1488=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe +1524=C:\Program Files\Norton Utilities\NPROTECT.EXE +1576=C:\WINDOWS\System32\nvsvc32.exe +1688=C:\WINDOWS\System32\svchost.exe +1764=C:\WINDOWS\system32\wdfmgr.exe +836=C:\WINDOWS\System32\alg.exe +1044=C:\Program Files\WorldCommunityGrid\ud_3434601_0.dir\WCGrid_AutoDock.exe +1476=C:\Program Files\Microsoft Office\Office10\WINWORD.EXE +2208=C:\Program Files\Mozilla Firefox\firefox.exe +2764=C:\Documents and Settings\wayne\Desktop\New Folder\StartDreck.exe »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User |
|
|
|
|
11-27-2005, 12:42 PM
|
#20 (permalink) |
|
Analyst, Security Team
Join Date: Feb 2005
Location: Eire
Posts: 2,006
OS: Vista, Ubuntu 8.04
|
hello again sb_nac0
 It looks like FixWareout didn't run properly.  Please do the following and we will try wareout again. Please copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please make sure you have an ACTIVE internet connection as the tool will need to download additional files and a program. Please download FixWareout from one of these sites: http://forums.subratam.org/index.php...=post&id=43811 http://swandog46.geekstogo.com/Fixwareout.exe Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is NORMAL. When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and save the log. Close HijackThis, and click OK to proceed. At the end of the fix, you may need to restart your computer again. Run StartDreck with the same options Selected like before. Click on the following and hit the Delete button in the program: *C:\WINDOWS\wininit.ini. Finally, please post the contents of the logfile C:fixwareoutreport.txt, along with a new HijackThis and StartDreck log. Regards alba Last edited by alba; 11-27-2005 at 12:44 PM. |
|
|
|
| Thread Tools | |
|
|
