[Done]Log File-Thanks (merged)

Discussion in 'adware, spyware & hijack cleaning' started by Daniel0000, Jun 30, 2004.

Thread Status:
Not open for further replies.
  1. Daniel0000
    Offline

    Daniel0000 Registered Member

    Ran adaware/spybot and have spyware guard and spyware blaster? Which are preferrable. One antivirus, one anti spyware, one recovery, one footprint remover (privacy protection?). Would just like the name of the best 5 or 6 programs that I should be using to be private and safe.

    Anyways, here's my log file:

    Logfile of HijackThis v1.97.7
    Scan saved at 5:02:16 PM, on 6/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common files\WinTools\WToolsS.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\eMule\eMule.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\Program Files\Common files\WinTools\WSup.exe
    C:\WINDOWS\System32\ImapiRox.exe
    C:\Program Files\mIRC\mirc.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Toolbar\IExploreSkins.exe
    C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\Program Files\mIRC\download\Computer Performance\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50007
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://maddox.xmission.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50007
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://maddox.xmission.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50007
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_28.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: QuickSearch SearchBar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_28.dll
    O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
    O4 - HKCU\..\Run: [update] C:\WINDOWS\update\hide C:\WINDOWS\update\ess.bat
    O4 - HKCU\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
    O16 - DPF: {0E4796D6-A990-4372-9069-72FBDB4AE868} - http://www.one2one.com/static/class/one2oneSvc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_US_XP.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2819863e33db15101520/netzip/RdxIE6.cab
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37581.4436342593
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553556600} - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {EBC448F6-3C86-4689-8F5A-088B87E5C725} (Wonderhorse Listener ActiveX Control 1.2) - http://talkradio.alternacast.net/talkradio/clients/listener/bin/whlisten12.cab
    O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006_cracks.cab
  2. Daniel0000
    Offline

    Daniel0000 Registered Member

    Running Program Log File

    I have a tiny program called procexpnt which is an internal system explorer or something. It shows me everything that's running. I caught a virus a while ago and I recognized it as something that had been up and running for months. So just in case my spybot/adaware log didn't have this: here's everything that's running. Please help with what to change/remove/fix...?

    Process PID CPU Description Company Name
    System Idle Process 0 63
    Interrupts n/a Hardware Interrupts
    DPCs n/a 1 Deferred Procedure Calls
    System 4 1
    smss.exe 780 Windows NT Session Manager Microsoft Corporation
    CSRSS.EXE 832 1 Client Server Runtime Process Microsoft Corporation
    winlogon.exe 856 3 Windows NT Logon Application Microsoft Corporation
    SERVICES.EXE 900 Services and Controller app Microsoft Corporation
    SVCHOST.EXE 1072 Generic Host Process for Win32 Services Microsoft Corporation
    SVCHOST.EXE 1168 Generic Host Process for Win32 Services Microsoft Corporation
    SVCHOST.EXE 1264 Generic Host Process for Win32 Services Microsoft Corporation
    SVCHOST.EXE 1296 Generic Host Process for Win32 Services Microsoft Corporation
    SPOOLSV.EXE 1640 Spooler SubSystem App Microsoft Corporation
    CTSVCCDA.EXE 1980 Creative Service for CDROM Access Creative Technology Ltd
    defwatch.exe 2000 Virus Definition Daemon Symantec Corporation
    rtvscan.exe 2040 Norton AntiVirus Symantec Corporation
    MSGSYS.EXE 1828 CBA -- Message System Intel Corporation
    nvsvc32.exe 248 NVIDIA Driver Helper Service, Version 15.20 NVIDIA Corporation
    SVCHOST.EXE 288 Generic Host Process for Win32 Services Microsoft Corporation
    WToolsS.exe 324
    lsass.exe 912 LSA Shell (Export Version) Microsoft Corporation
    explorer.exe 552 1 Windows Explorer Microsoft Corporation
    EM_EXEC.EXE 1116 Control Center Logitech Inc.
    vptray.exe 1132 13 Norton AntiVirus Symantec Corporation
    WToolsA.exe 1148 1
    WSup.exe 296
    realsched.exe 1224 RealNetworks Scheduler RealNetworks, Inc.
    devldr32.exe 1388 DevLdr32 Creative Technology Ltd.
    ntvdm.exe 1476 NTVDM.EXE Microsoft Corporation
    CMD.EXE 1284 1 Windows Command Processor Microsoft Corporation
    start.exe 2292
    pv.exe 2444
    pv.exe 2400 3
    mirc.exe 3096 1 mIRC mIRC Co. Ltd.
    eMule.exe 3012 eMule Plus http://emuleplus.info
    WinRAR.exe 712 3
    procexp.exe 3828 3 Sysinternals Process Explorer Sysinternals
    iexplore.exe 4072 Internet Explorer Microsoft Corporation

    Process: ntvdm.exe Pid: 1476

    Type Name
    Desktop \Default
    Directory \Windows
    Directory \BaseNamedObjects
    Directory \KnownDlls
    Event \BaseNamedObjects\userenv: User Profile setup event
    File \Device\SymEvent
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805
    File C:\WINDOWS\SYSTEM32\KRNL386.EXE
    File C:\WINDOWS\SYSTEM32\WOWEXEC.EXE
    File C:\WINDOWS\SYSTEM32\MOUSE.DRV
    File C:\WINDOWS\SYSTEM32\WFWNET.DRV
    File C:\WINDOWS\SYSTEM32\VGA.DRV
    File C:\WINDOWS\SYSTEM32\GDI.EXE
    File C:\WINDOWS\SYSTEM32\SOUND.DRV
    File C:\
    File C:\WINDOWS\SYSTEM32\COMM.DRV
    File C:\WINDOWS\SYSTEM32\MMSYSTEM.DLL
    File C:\WINDOWS\SYSTEM32\SHELL.DLL
    File C:\WINDOWS\SYSTEM32\WINOLDAP.MOD
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
    Key HKLM
    Key HKLM\HARDWARE\DESCRIPTION\System
    Key HKCU
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ModuleCompatibility
    KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
    Mutant \BaseNamedObjects\msvdmdbg.mtx
    Mutant \BaseNamedObjects\ShimCacheMutex
    Process CMD.EXE(1284)
    Section \BaseNamedObjects\msvdmdbg.wow
    Section \BaseNamedObjects\VdmConventionalMemory1476
    Section \BaseNamedObjects\ShimSharedMemory
    Semaphore \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
    Thread ntvdm.exe(1476): 1480
    Thread ntvdm.exe(1476): 1480
    Thread ntvdm.exe(1476): 1208
    Thread ntvdm.exe(1476): 1412
    Thread ntvdm.exe(1476): 1412
    WindowStation \Windows\WindowStations\WinSta0
    WindowStation \Windows\WindowStations\WinSta0
  3. Daniel0000
    Offline

    Daniel0000 Registered Member

    Re: Log File-Thanks (merged)

    Bumping. Thanks to all you techies for your hard work.
    Happy 4th.
  4. snapdragin
    Offline

    snapdragin Administrator

    Re: Log File-Thanks (merged)

    Hi Daniel0000,

    There's a file I'm suspicious of and not finding much information on it: ess.bat If you do not recognize it or know what it is for, then locate the ess.bat in the C:\WINDOWS folder, and upload it for a scan at Kaspersky.
    If the scan comes back with the results the file is infected, then include it in the fix below.

    Also, could you zip up a copy of the update folder, (if it's too large, then just zip up a copy of the 'ess.bat' file), password protect the zipped copy, (use the word infected as the password) and email the zipped copy to pieterATwilderssecurity.org (replace the AT with an @) for analysis. In the body of the email message, state that the password is "infected" and include a link to this thread, so Pieter will be able to find it easily. Can you also submit a zipped copy to submit@diamondcs.com.au for analysis. Thank you.

    Then go to Add/Remove Programs and uninstall WinTools, MyWay, QuickSearch, Toolbar, and Incredifind if you can, either way, continue with the following.


    In HijackThis, place a check beside the following items.
    Close ALL browsers and any open programs/windows, except HijackThis, and click *Fix checked:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50007
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50007
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50007

    (I am not familiar with these sites, so if you did not set them yourself, or want to keep them, then fix these too)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://maddox.xmission.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://maddox.xmission.com/

    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

    O1 - Hosts: 217.116.231.7 aimtoday.aol.com

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_28.dll
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: QuickSearch SearchBar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_28.dll
    O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [update] C:\WINDOWS\update\hide C:\WINDOWS\update\ess.bat
    O4 - HKCU\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

    O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/...ive/HS_live.cab
    O16 - DPF: {0E4796D6-A990-4372-9069-72FBDB4AE868} - http://www.one2one.com/static/class/one2oneSvc.cab

    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binari...DHTML_US_XP.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2819863e33db15...tzip/RdxIE6.cab
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/so...tiveXPlugin.cab
    O16 - DPF: {EBC448F6-3C86-4689-8F5A-088B87E5C725} (Wonderhorse Listener ActiveX Control 1.2) - http://talkradio.alternacast.net/ta.../whlisten12.cab
    O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...0006_cracks.cab


    Reboot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

    Find and delete only these folders listed in bold:
    C:\Program Files\MyWay
    C:\Program Files\INCREDIFIND
    C:\Program Files\QuickSearch
    C:\Program Files\Toolbar
    C:\Program Files\Common files\WinTools

    In case any of the above folders are hidden, make sure you have Hidden Files and Folders Viewable
    Click Start > My Computer >Select the Tools menu >click Folder Options >Select the View Tab. Under the "Hidden files and folders" heading, select Show hidden files and folders. UN-check the "Hide protected operating system files (recommended)" option. Then click Yes.

    Use the Disk Cleanup Utility to clear your temp folders.

    Reboot your computer normally, and do a FULL system scan at one of these on-line scan sites: Free Services

    Next, followup with a scan from Spybot S&D and AdAware6 to clean any remanents.
    Download links and instructions can be found here

    Before posting a new log, would you please open MSConfig by clicking the Start button, then click Run, then type in msconfig. Put a check in the box beside "Normal Startup - Load all device drivers and services" option. This will let everything in the startup run, and allow us to see if there is anything there that may need removed.

    Then once the above is done, rescan with Hijackthis and post a new log here in this thread to be checked.

    Regards,

    snap
  5. Daniel0000
    Offline

    Daniel0000 Registered Member

    Re: Log File-Thanks (merged)

    E-mail sent. ess.bat was definitely a virus.
    I had 598 viruses and 199 (spywares?)
    So some of the stuff that you told me to clean may be been cleaned out by various other programs than hijackthis, hopefully still in an acceptable way.

    New log file. Update folder and ess.bat are bad, and so is blss, but for some reason, I can't seem to find blss. cmd.exe and pv.exe are running always, which doesn't make sense (except they're in the abominable update folder, maybe they're all bad news?). Other things that I see that don't seem to exist (and they're not hidden folder). Like this spywareguard and stripsaver and blss.

    Thanks

    Logfile of HijackThis v1.97.7
    Scan saved at 12:02:51 AM, on 7/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\CACHEM~1\CachemanXP.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Program Files\PopUp Killer\PopUpKiller.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\System32\cmd.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\update\start.exe
    C:\WINDOWS\update\WinUpdate.exe
    C:\Program Files\mIRC\download\Computer Performance\HijackThis.exe
    C:\WINDOWS\update\pv.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://maddox.xmission.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://maddox.xmission.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
    O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\eDonkey2000.exe -t
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [eDonkey2000] C:\Program Files\eDonkey2000\eDonkey2000.exe -t
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [CC2KUI] C:\PROGRA~1\Comet\Bin\cstray.exe
    O4 - HKLM\..\Run: [blss] C:\Program Files\blss\blss.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKCU\..\Run: [update] C:\WINDOWS\update\hide C:\WINDOWS\update\ess.bat
    O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
    O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\dudez\protowall\ProtoWall.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [LTM2] C:\WINDOWS\litmus\win32.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: StripSaver.lnk = C:\Program Files\Overnet\Screensaver\StripSaver.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
    O16 - DPF: {0E4796D6-A990-4372-9069-72FBDB4AE868} - http://www.one2one.com/static/class/one2oneSvc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_US_XP.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2819863e33db15101520/netzip/RdxIE6.cab
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37581.4436342593
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553556600} - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {EBC448F6-3C86-4689-8F5A-088B87E5C725} (Wonderhorse Listener ActiveX Control 1.2) - http://talkradio.alternacast.net/talkradio/clients/listener/bin/whlisten12.cab
  6. snapdragin
    Offline

    snapdragin Administrator

    Re: Log File-Thanks (merged)

    Hi Daniel0000,

    I'm a little surprised that the on-line scans didn't remove some of these viruses. Ok, let's try this once more.

    O4 - HKLM\..\Run: [blss] C:\Program Files\blss\blss.exe <-- Symantec's calls it: Backdoor.Blarul
    So it would also be wise to check your phone bill.

    I don't like the looks of this one.
    O4 - HKCU\..\Run: [LTM2] C:\WINDOWS\litmus\win32.exe <-- It could be: BKDR_LITMUS.203
    Please upload the win32.exe in the litmus folder to Kaspersky for a scan to confirm.
    Then submit a zipped copy of the "litmus" folder to the address I posted above in Post #4, thank you.

    The 'cmd.exe' is a ligitimate windows file and needed. It is also showing in the right location so it is ok. But you can always scan the file at Kaspersky to make sure it hasn't been tampered with.

    I want to be sure you knowingly installed this program, if not, then try and uninstall it through the Add/Remove Programs.
    O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
    "An internet traffic control tool to monitor applications which access the internet and actively control their internet traffic. Use it to set (download/upload) speed limits for applications or even single connection. NetLimiter also allows you to share your internet connection bandwidth among all applications running on your PC."

    _____

    I'm also surprised AdAware or Spybot didn't catch and remove some of these other items I'm now seeing, so could you please check and make sure you are using the most current versions of Spybot S&D v1.3, and AdAware6 build 6.181, and have checked for updates and brought them up-todate.

    First try and uninstall "WinTools", and "Comet Cursor", and "PrecisionTime" through the Add/Remove Programs in Control Panel.

    Disconnect from the internet, and boot your computer into safe mode by tapping the F8 key just before Windows begins to load.

    Then bring up TaskManager and end process on these if they are running.

    start.exe
    WinUpdate.exe
    pv.exe


    Next, rescan with Hijackthis and place a check beside the following.
    Make sure you have no browsers open (except Hijackthis) and click *Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R3 - Default URLSearchHook is missing

    O1 - Hosts: 217.116.231.7 aimtoday.aol.com

    O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)

    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [CC2KUI] C:\PROGRA~1\Comet\Bin\cstray.exe
    O4 - HKLM\..\Run: [blss] C:\Program Files\blss\blss.exe
    O4 - HKCU\..\Run: [update] C:\WINDOWS\update\hide C:\WINDOWS\update\ess.bat
    O4 - HKCU\..\Run: [LTM2] C:\WINDOWS\litmus\win32.exe

    (Part of Gator Spyware. See Here for more information)
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

    (Part of Gain Spyware. See Here for more information.)
    O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binari...DHTML_US_XP.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2819863e33db15...tzip/RdxIE6.cab


    (Optional to fix, but fixing them will save you some resources as they do not need to start up when you turn your computer on)
    O4 - HKLM\..\Run: [eDonkey2000] C:\Program Files\eDonkey2000\eDonkey2000.exe -t
    O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe



    Then find and delete only these files/folders listed below in bold:

    C:\WINDOWS\update <-- the entire 'update' folder with the WinUpdate.exe, start.exe, pv.exe, ess.bat files in it.
    C:\Program Files\blss <-- the folder with the blss.exe in it.
    C:\Program Files\Comet <-- the folder
    C:\Program Files\Toolbar <-- the folder

    C:\WINDOWS\litmus\win32.exe <-- delete the 'litmus' folder if Kaspersky has confirmed infection.

    While still in Safe Mode, empty your Temp folders, and do another scan with AdAware and/or Spybot Search&Destroy, and remove/fix what they find.

    Reboot your computer and go back on line.

    There's a good chance your system has been compromised given all the infection you have.
    Please download and install the 30-day free trial of TDS-3
    Before you open and run the program, download the latest radius database file Radius td3 update.
    Right-click on the link shown on the updates page, and choose "Save target as" and save it to your TDS install directory (say "yes" to overwriting the one that is there).
    When you open TDS set all "Scan Control" settings to their highest sensitivity, then choose the 'Full system Scan" and scan your local drives.

    Then do another on-line antivirus scan, and fix/delete what it finds.

    Once you have finished ALL of the above, post a new hijackthis log here so we can check that we got it all.

    Regards,

    snap

    You may want to save these instructions to a .txt file, or print them out, so you can read them since you will be going off-line and doing this in safe mode.

    Other references:
    http://www.liutilities.com/products/wintaskspro/processlibrary/win32/
    http://www.liutilities.com/products/wintaskspro/processlibrary/winupdate/
    Last edited: Jul 11, 2004
  7. Daniel0000
    Offline

    Daniel0000 Registered Member

    Re: Log File-Thanks (merged)

    Ad-aware and the virus scanner found nothing, but tds3 identified every file on my computer has having trojandropper.yyyyyyy
    ?

    Oh, and my comp. doesn't restart or shutdown. The screen freezes on windows is shutting down. I have to manually turn it off and restart with the power button.


    Logfile of HijackThis v1.97.7
    Scan saved at 7:56:58 AM, on 7/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\CACHEM~1\CachemanXP.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Documents and Settings\Daniel Schiff\Desktop\Computer Performance\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://maddox.xmission.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://maddox.xmission.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\dudez\protowall\ProtoWall.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
    O16 - DPF: {0E4796D6-A990-4372-9069-72FBDB4AE868} - http://www.one2one.com/static/class/one2oneSvc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37581.4436342593
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553556600} - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {EBC448F6-3C86-4689-8F5A-088B87E5C725} (Wonderhorse Listener ActiveX Control 1.2) - http://talkradio.alternacast.net/talkradio/clients/listener/bin/whlisten12.cab
  8. snapdragin
    Offline

    snapdragin Administrator

    Re: Log File-Thanks (merged)

    Hi Daniel0000,

    Your log is clean now.

    As for what happened with the TDS-3 scan, unfortunately, there was a corrupted Radius file update with the last update at the same time you downloaded and isntalled it. It isn't something that's happened before, but like with any program, it can happen. The issue was quickly caught and a new Radius update file has now replaced the old one.

    It is always good practice to do a check of any files that may be listed as bad by a program, just in case there is a false/positive, or a corrupted update of a program's database. You didn't delete any files that TDS-3 listed, did you?

    You can get the new Radius database file here: Radius td3 update.
    Right-click on the link shown on the updates page, and choose "Save target as" and save it to your TDS install directory (say "yes" to overwriting the one that is there).

    Then do another scan with TDS-3.

    I'm not seeing the win32.exe file now. Did the Kaspersky scan say it was infected and you've deleted it?
    Also, were you able to submit the 'litmus' folder to the email addresses listed in my Post #4.

    I don't know what would be causing Windows to freeze before shutdown. It may be because it was previously infected and files have since been removed.
    After deleting files and folders, it is a good idea to do a clean up of the temp folders and defrag the hard drive. This should be done as regular maintenance of your system:

    Use the Disk cleanup Utility to clean out your Temp folders. Disk Cleanup Utility

    To open Disk Defragmenter: Click "Start" -> "Programs" -> "Accessories" -> "System Tools" -> "Disk Defragmenter" and click the "Defragment" button (it will take a few minutes to finish if you haven't done it in awhile).

    At this point I would normally tell you to turn System Restore off to purge any infected files backed up in it, but for the moment we dont' want to do that until we are sure your system is working normally again.

    Try the cleaning of the temp folders, defrag, and several reboots, and let me know how things are going.

    Regards,

    snap
  9. Daniel0000
    Offline

    Daniel0000 Registered Member

    Re: Log File-Thanks (merged)

    Phew. I was worried my whole comp. was trojaned or something :)

    The win32 file wouldn't copy/paste or anything. I had to delete it manually with cmd del after a restart in safe mode.

    My comp. still doesn't restart correctly. Don't know why :(

    Logfile of HijackThis v1.97.7
    Scan saved at 3:07:11 PM, on 8/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\CACHEM~1\CachemanXP.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\svcnet.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Ahead\Nero ShowTime\ShowTime.exe
    C:\Program Files\BitTornado\btdownloadgui.exe
    C:\Program Files\BitTornado\btdownloadgui.exe
    C:\Program Files\BitTornado\btdownloadgui.exe
    C:\Program Files\eMule\eMule.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Daniel Schiff\Desktop\Computer Performance\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://maddox.xmission.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://maddox.xmission.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [System Restore] svcnet.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [System Restore] svcnet.exe
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
    O16 - DPF: {0E4796D6-A990-4372-9069-72FBDB4AE868} - http://www.one2one.com/static/class/one2oneSvc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37581.4436342593
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553556600} - http://active.macromedia.com/flash2/cabs/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {EBC448F6-3C86-4689-8F5A-088B87E5C725} (Wonderhorse Listener ActiveX Control 1.2) - http://talkradio.alternacast.net/talkradio/clients/listener/bin/whlisten12.cab


    Thanks, Snap
  10. snapdragin
    Offline

    snapdragin Administrator

    Re: Log File-Thanks (merged)

    Hi Daniel,

    I Hate to be the barer of bad news, but it looks like you have picked up another nasty infection since your last log.
    Trend Micro shows the svcnet.exe file as belonging to Worm Agobot.LZ.

    Please make sure you have all files and folders viewable:
    How to Show Hidden Files and Folders

    Pull up Task Manager (ctrl+alt+del keys) and try and end the running process for 'svcnet.exe' if you can.

    Then with only Hijackthis open, and all other browsers closed, place a check beside the following and click "Fix checked"

    O4 - HKLM\..\Run: [System Restore] svcnet.exe
    O4 - HKCU\..\Run: [System Restore] svcnet.exe


    Restart your computer in Safe Mode by tapping the F8 key just before windows begins to load.

    C:\WINDOWS\System32\svcnet.exe <--can you zip up a copy of the file and email the zipped copy to submit At diamondcs.com.au (replace the At with @ ). Include a link back to this thread in the body of the email please. Then upload a copy of it to Kaspersky for a scan to confirm. Then delete the 'svcnet.exe' file.

    Restart your computer normally.

    Use the Disk cleanup Utility to clean out your Temp folders. Disk Cleanup Utility

    For further cleanup, Trend Micro also has a removal tool for this variant: http://www.trendmicro.com/download/dcs.asp
    If you are not a Trend Micro customer, then the tool you would use is called Sysclean Package. Make sure you read the "readme_sysclean.txt' for how to use the tool correctly.

    It wouldn't hurt to do an on-line scan too: Free Services

    Before posting a new log, would you please open MSConfig by clicking the Start button, then click Run, then type in msconfig. Put a check in the box beside "Normal Startup - Load all device drivers and services" option. This will let everything in the startup run, and allow us to see if there is anything there that may need removed.

    There is also a newer version of HijackThis. Please download Hijackthis 1.98.1, run a scan with it and post a new log here to be check. I also must ask that you post a new log as soon as possible as this specific forum (the adware, spyware & hijack cleaning forum) will be closed soon as per this Announcement and I would like to see a final log first if we can.

    Regards,

    snap
  11. Daniel0000
    Offline

    Daniel0000 Registered Member

    Re: Log File-Thanks (merged)

    alright e-mail would not send. server didn't accept or something. i thought maybe bcuz virus was in the title, but i redid and still no send.

    Kasperky read it as a worm.p2p virus

    Logfile of HijackThis v1.98.2
    Scan saved at 9:17:22 AM, on 8/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\CACHEM~1\CachemanXP.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\WINDOWS\SM1BG.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\ShutDownOnTime\ShutDownOnTime.exe
    C:\Program Files\PopUp Killer\PopUpKiller.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\PROGRA~1\AIM95\aim.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\Daniel Schiff\Desktop\Computer Performance\HijackThis1982.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://maddox.xmission.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://maddox.xmission.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [ShutDownOnTime] C:\Program Files\ShutDownOnTime\ShutDownOnTime.exe
    O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\dudez\protowall\ProtoWall.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
    O16 - DPF: {0E4796D6-A990-4372-9069-72FBDB4AE868} - http://www.one2one.com/static/class/one2oneSvc.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {EBC448F6-3C86-4689-8F5A-088B87E5C725} (Wonderhorse Listener ActiveX Control 1.2) - http://talkradio.alternacast.net/talkradio/clients/listener/bin/whlisten12.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (file missing)

    going to olympics for two weeks.
    my e-mail's ~removed personal email - snap~ if you need it
    sorry the forum's closing

    could you by chance reccomend me to your next favorite security forum?

    Thanks,

    ~Daniel
    Last edited by a moderator: Aug 9, 2004
  12. snapdragin
    Offline

    snapdragin Administrator

    Re: Log File-Thanks (merged)

    Hi Daniel,

    I've removed your personal email in your above post so the spam bots won't harvest it.

    Your ISP may have detected the infected file or one of the recipient's security applications may have stopped it when you tried to email the zipped file. If you still have a zipped copy of the 'svcnet.exe' file, you can try giving it a password, which will allow it to be emailed. Use the password infected and also mention the password in the email message along with a link back to this thread, so those receiving it will know what password to use to open it and be also be able to locate your thread here.

    Your log looks clean to me now, but there are two items I am unsure about.

    I'm not familiar with this program. If you know what it is then you don't need to fix it. If you are not sure, then you can fix it in Hijackthis, and upload the "ShutDownOnTime.exe" file to Kaspersky for a scan.

    O4 - HKLM\..\Run: [ShutDownOnTime] C:\Program Files\ShutDownOnTime\ShutDownOnTime.exe

    This O18 line is showing the hpuiprot.dll file as 'missing'. Did you uninstall the HP Component Manager (hpcoretech) ? If you didn't, can you check in the folder C:\Program Files\HP\hpcoretech\comp\ and see if the 'hpuiprot.dll' file is still there, and let me know.

    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (file missing)


    Here's a little information about P2P worms from McAfee

    -snip-
    "Usually P2P worms create multiple copies of itself under enticing names in the folders responsible for file-sharing (ex., "Kazaa\My Shared Folder" or "Kazaa\LocalContent"). Then, during a P2P session someone may download one of these files. When the file is executed by the recipient his installation would have copies of the worms for offer too."

    With that in mind, you should scan each and every file you download, then scan your file-sharing folder (and your entire hard drive) regularily before and after using a P2P app. so you are not keeping the cycle going by sharing an infected file. Using a P2P is of course extremly high risk for infection, and not recommended, but if you are going to continue to use file sharing then it would be to your benefit, and the internet's, to keep your antivirus, anti-trojan, and anti-spyare programs up-to-date and resident (actively scanning) along with using a good firewall. You can find more information about these kinds of security applicatons here: Free Tools And also here for some ways to tighten your security and prevent future infection: Why did I get infected in the first place?

    Before you do anymore p2p file sharing (this is where alot of your infections are coming from), it would be a good idea now to turn off your System Restore and reboot your computer. This will remove any infected files that would have been backed up in the System Restore folder: System Restore Instructions for XP. Remember to re-enable System Restore after the reboot, and set a new Restore Point. This way you will have a clean state to return to if you should happen to get reinfected again.

    I am not sure if you understood what I meant when I said the 'adware, spyware & hijack cleaning forum' here is closing. It is just this specific sub-forum only where the hijackthis logs are reviewed. Wilderssecurity forum is not closing. There are, however, excellent sites for hijackthis log analysis, such as Spywareinfo, ComputerCops, and TomCoyotes to name a few, and you can find them all listed here in this link. Just be sure and follow their posting policies and guidelines before posting a hijackthis log. For any other security-related questions, feel free to start a new topic here in one of our other forums. :)

    Have a wonderful time at the Olympics! :D Wow...sounds like a great vacation!

    Regards,

    snap
Thread Status:
Not open for further replies.