worms and trojans

Discussion in 'adware, spyware & hijack cleaning' started by elgrimio, May 25, 2004.

Thread Status:
Not open for further replies.
  1. elgrimio

    elgrimio Registered Member

    Joined:
    May 25, 2004
    Posts:
    5
    hot kiss 1on1 xxx server

    ive been having problems with this and ive been told to delete hidden files but i dosnt seem to work any suggestions


    heres my log
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\mousebut.exe
    C:\PROGRA~1\COMMON~1\SHUTTL~1\ICONFIG.EXE
    C:\PROGRA~1\DAP\DAP.EXE
    C:\WINDOWS\System32\gsicon.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\enbiei.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\WINDOWS\System32\mslaugh.exe
    C:\Program Files\RAM Def\ramdef.exe
    C:\windows\system32\sncntr.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\VIAudioi\SBADeck\ADeck.exe
    C:\WINDOWS\lsass.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AOL 8.0\waol.exe
    C:\Program Files\AOL 8.0\shellmon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Documents and Settings\SETUP\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.777search.com
    F1 - win.ini: run=c:\windows\system32\mousebut.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O4 - HKLM\..\Run: [ICONFIG.EXE] C:\PROGRA~1\COMMON~1\SHUTTL~1\ICONFIG.EXE "Software\Shuttle Technology\80000010"
    O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\System32\Rscmpt.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [PAV.EXE] C:\WINDOWS
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
    O4 - HKLM\..\Run: [RAMBooster.Net] C:\Program Files\RAMBooster.Net\RAMBooster.exe -m
    O4 - HKLM\..\Run: [RAMDef] C:\Program Files\RAM Def\ramdef.exe -tray
    O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [vwrsfin] C:\WINDOWS\System32\vwrsfin.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe
    O4 - HKLM\..\Run: [System Process] C:\WINDOWS\lsass.exe /i
    O4 - HKLM\..\Run: [Mousebut] c:\windows\system32\mousebut.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Mousebut] c:\windows\system32\mousebut.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3AA340A6-90CD-4698-AC86-2C88E220345E}: NameServer = 195.93.51.134
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B956CFB1-6A51-4D6F-9CFA-43B1EF260680}: NameServer = 152.163.0.26 205.188.64.153
     
  2. elgrimio

    elgrimio Registered Member

    Joined:
    May 25, 2004
    Posts:
    5
    Re: hot kiss 1on1 xxx server

    sorry the top part of the log is

    Logfile of HijackThis v1.97.7
    Scan saved at 18:19:59, on 25/05/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
     
  3. elgrimio

    elgrimio Registered Member

    Joined:
    May 25, 2004
    Posts:
    5
    me again dont know if you saw my last post

    Logfile of HijackThis v1.97.7
    Scan saved at 18:19:59, on 25/05/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)


    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\mousebut.exe
    C:\PROGRA~1\COMMON~1\SHUTTL~1\ICONFIG.EXE
    C:\PROGRA~1\DAP\DAP.EXE
    C:\WINDOWS\System32\gsicon.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\enbiei.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\WINDOWS\System32\mslaugh.exe
    C:\Program Files\RAM Def\ramdef.exe
    C:\windows\system32\sncntr.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\VIAudioi\SBADeck\ADeck.exe
    C:\WINDOWS\lsass.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AOL 8.0\waol.exe
    C:\Program Files\AOL 8.0\shellmon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Documents and Settings\SETUP\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.777search.com
    F1 - win.ini: run=c:\windows\system32\mousebut.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O4 - HKLM\..\Run: [ICONFIG.EXE] C:\PROGRA~1\COMMON~1\SHUTTL~1\ICONFIG.EXE "Software\Shuttle Technology\80000010"
    O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\System32\Rscmpt.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [PAV.EXE] C:\WINDOWS
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
    O4 - HKLM\..\Run: [RAMBooster.Net] C:\Program Files\RAMBooster.Net\RAMBooster.exe -m
    O4 - HKLM\..\Run: [RAMDef] C:\Program Files\RAM Def\ramdef.exe -tray
    O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [vwrsfin] C:\WINDOWS\System32\vwrsfin.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe
    O4 - HKLM\..\Run: [System Process] C:\WINDOWS\lsass.exe /i
    O4 - HKLM\..\Run: [Mousebut] c:\windows\system32\mousebut.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Mousebut] c:\windows\system32\mousebut.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3AA340A6-90CD-4698-AC86-2C88E220345E}: NameServer = 195.93.51.134
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B956CFB1-6A51-4D6F-9CFA-43B1EF260680}: NameServer = 152.163.0.26 205.188.64.153
     
  4. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Re: 1on1 hot kiss dialler

    Hi elgrimio,

    Besides your hit kiss problem you also have a couple of worms and trojans/virus

    Have only HijackThis running and fix :

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.777search.com

    F1 - win.ini: run=c:\windows\system32\mousebut.exe

    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

    O4 - HKLM\..\Run: [PAV.EXE] C:\WINDOWS
    O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
    O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
    O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
    O4 - HKLM\..\Run: [vwrsfin] C:\WINDOWS\System32\vwrsfin.exe
    O4 - HKLM\..\Run: [System Process] C:\WINDOWS\lsass.exe /i
    O4 - HKCU\..\Run: [Mousebut] c:\windows\system32\mousebut.exe

    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

    Make sure all hidden files and folders are enabled to show : Here's How

    Then boot into safe mode : Here's How and remove :

    teekids.exe <- this file
    enbiei.exe <- this file
    C:\WINDOWS\System32\P2P Networking\ <- uninstall via add/remove programs in control panel
    mslaugh.exe <- this file
    c:\windows\system32\sncntr.exe <- this file
    C:\WINDOWS\System32\vwrsfin.exe <- this file
    C:\WINDOWS\lsass.exe <- this file in THAT folder

    Restart again in normal mode and do a free online scan :

    http://housecall.trendmicro.com/

    Also download msblast removal tool :

    http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

    Repost another log after doing all this

    Cheers,


    c:\windows\system32\mousebut.exe
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re: hot kiss 1on1 xxx server

    Hi elgrimio,

    Download and run: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.777search.com
    F1 - win.ini: run=c:\windows\system32\mousebut.exe

    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

    O4 - HKLM\..\Run: [PAV.EXE] C:\WINDOWS

    O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe

    O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm

    O4 - HKLM\..\Run: [vwrsfin] C:\WINDOWS\System32\vwrsfin.exe

    O4 - HKLM\..\Run: [System Process] C:\WINDOWS\lsass.exe /i
    O4 - HKLM\..\Run: [Mousebut] c:\windows\system32\mousebut.exe

    O4 - HKCU\..\Run: [Mousebut] c:\windows\system32\mousebut.exe

    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

    Then reboot into safe mode and delete:
    C:\WINDOWS\lsass.exe
    c:\windows\system32\sncntr.exe

    Then please send this file:
    c:\windows\system32\mousebut.exe
    to the adress in my profile, preferably zipped up.

    Regards,

    Pieter
     
  6. elgrimio

    elgrimio Registered Member

    Joined:
    May 25, 2004
    Posts:
    5
    Re: 1on1 hot kiss dialler

    heres my new log i wasnt sure wether or not to delete enbiei because it was in the system 32 folder should i delete it still

    anyway heres my new log


    Logfile of HijackThis v1.97.7
    Scan saved at 11:42:57, on 26/05/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\SHUTTL~1\ICONFIG.EXE
    C:\PROGRA~1\DAP\DAP.EXE
    C:\WINDOWS\System32\gsicon.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\VIAudioi\SBADeck\ADeck.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\windows\system32\mousebut.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\AOL 8.0\waol.exe
    C:\Program Files\AOL 8.0\shellmon.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\SETUP\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ICONFIG.EXE] C:\PROGRA~1\COMMON~1\SHUTTL~1\ICONFIG.EXE "Software\Shuttle Technology\80000010"
    O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\System32\Rscmpt.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [RAMBooster.Net] C:\Program Files\RAMBooster.Net\RAMBooster.exe -m
    O4 - HKLM\..\Run: [RAMDef] C:\Program Files\RAM Def\ramdef.exe -tray
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Mousebut] c:\windows\system32\mousebut.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3AA340A6-90CD-4698-AC86-2C88E220345E}: NameServer = 195.93.51.134
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B956CFB1-6A51-4D6F-9CFA-43B1EF260680}: NameServer = 152.163.0.26 205.188.64.153
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Could you please reread all the responses you got. Now that I found and merged all your posts.

    Please keep them in one thread.

    Regards,

    Pieter
     
  8. elgrimio

    elgrimio Registered Member

    Joined:
    May 25, 2004
    Posts:
    5
    yer sorry about that but am i clean



    Logfile of HijackThis v1.97.7
    Scan saved at 13:13:23, on 26/05/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\AVENGINE.EXE
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\Program Files\Panda Software\Panda Platinum Internet Security\apvxdwin.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Panda Software\Panda Platinum Internet Security\SRVLOAD.EXE
    C:\PROGRA~1\COMMON~1\SHUTTL~1\ICONFIG.EXE
    C:\PROGRA~1\DAP\DAP.EXE
    C:\WINDOWS\System32\gsicon.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\RAM Def\ramdef.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\VIAudioi\SBADeck\ADeck.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\windows\system32\mousebut.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\WebProxy.exe
    C:\Program Files\AOL 8.0\waol.exe
    C:\Program Files\AOL 8.0\shellmon.exe
    C:\Documents and Settings\SETUP\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ICONFIG.EXE] C:\PROGRA~1\COMMON~1\SHUTTL~1\ICONFIG.EXE "Software\Shuttle Technology\80000010"
    O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\System32\Rscmpt.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [RAMBooster.Net] C:\Program Files\RAMBooster.Net\RAMBooster.exe -m
    O4 - HKLM\..\Run: [RAMDef] C:\Program Files\RAM Def\ramdef.exe -tray
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe
    O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum Internet Security\Inicio.exe"
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE" /s
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Mousebut] c:\windows\system32\mousebut.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda platinum internet security\pavlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda platinum internet security\pavlsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda platinum internet security\pavlsp.dll
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3AA340A6-90CD-4698-AC86-2C88E220345E}: NameServer = 195.93.48.134
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B956CFB1-6A51-4D6F-9CFA-43B1EF260680}: NameServer = 152.163.0.26 205.188.64.153
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Well, that depends. I still don't know what that mousebut exactly is, but it is still running and I suspect it's trouble.

    Surf to http://www.kaspersky.com/remoteviruschk.html and have this file checked:
    c:\windows\system32\mousebut.exe

    Let us know the results.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.