Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hijackthis Log--Please Help Diagnose it, Thanks!

Started by xylene507 , Oct 17 2006 02:20 PM

Please log in to reply

#1
xylene507

Posted 17 October 2006 - 02:20 PM

New Member

Member
8 posts

There's this virus that keeps on redirecting my pages in Google. I've tried running my AdAware but everytime it comes across the HKey, it freezes and can no longer proceed with the scan. I assume there's a virus in there that's doing that. So I ran the HijackThis instead.
Any help will be greatly appreciated. Thanks in advance!!!

Logfile of HijackThis v1.99.1
Scan saved at 3:10:46 PM, on 10/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\logon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\CROSOF~1\services.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {A6B2351A-A9AA-840D-8EBC-83DA1CBE3D97} - C:\WINDOWS\system32\bititu.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {A2B46443-A9A5-8653-8CBC-83DA1CBD6A9F} - C:\WINDOWS\system32\dxcege.dll (file missing)
O2 - BHO: (no name) - {A4B0FA6F-6F81-4D2B-F7DF-101340A8319F} - C:\WINDOWS\system32\rtgfzze.dll (file missing)
O2 - BHO: (no name) - {A6B2351A-A9AA-840D-8EBC-83DA1CBE3D97} - C:\WINDOWS\system32\bititu.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Dwtw] "C:\PROGRA~1\CROSOF~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [Jwrlrs] C:\Program Files\a?sembly\?hkdsk.exe
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe (file missing)
O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...bio5_3_16_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{798B37FB-D6B2-4791-8D9B-FAEB16AAB199}: NameServer = 85.255.113.116,85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D779137-9101-43BA-A83D-01D67495E2DF}: NameServer = 85.255.113.116,85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA956DA1-AACA-4754-88E8-33126BFCDFBD}: NameServer = 85.255.113.116,85.255.112.80
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.116 85.255.112.80
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.116 85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.116 85.255.112.80
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\ailui.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

I also have killbox and ccleaner installed. I just don't know which of these to fix.

Thanks once again!!

#2
Buckeye_Sam

Posted 17 October 2006 - 02:45 PM

Malware Expert

Member
10,019 posts

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :whistling:

You've got at least two issues that show up in your log, so this will take a few steps.

Please download FixWareout from one of these sites:

http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log into this topic.

#3
xylene507

Posted 17 October 2006 - 03:21 PM

New Member

Topic Starter
Member
8 posts

Hi Sam! Thank you for responding so quickly.

I ran the programs like u instructed and here are the files.

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}326DFD43C8C6-E78A-4844-30ED-E3839AEC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}61E99EF457AF-9639-C644-9CA9-3FE8BC15{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\ekrmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmrke.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

遙遙?Searching by size/names...
Invalid keyboard code specified

遙遙?
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSYKK.EXE 51,775 2006-10-16
C:\WINDOWS\SYSTEM32\DMRKE.EXE 61,020 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

遙遙?Misc files.

遙遙?Checking for older varients covered by the Rem3 tool.

Logfile of HijackThis v1.99.1
Scan saved at 5:19:17 PM, on 10/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\logon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\CROSOF~1\services.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {A6B2351A-A9AA-840D-8EBC-83DA1CBE3D97} - C:\WINDOWS\system32\bititu.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {A2B46443-A9A5-8653-8CBC-83DA1CBD6A9F} - C:\WINDOWS\system32\dxcege.dll (file missing)
O2 - BHO: (no name) - {A4B0FA6F-6F81-4D2B-F7DF-101340A8319F} - C:\WINDOWS\system32\rtgfzze.dll (file missing)
O2 - BHO: (no name) - {A6B2351A-A9AA-840D-8EBC-83DA1CBE3D97} - C:\WINDOWS\system32\bititu.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Dwtw] "C:\PROGRA~1\CROSOF~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [Jwrlrs] C:\Program Files\a?sembly\?hkdsk.exe
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe (file missing)
O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...bio5_3_16_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{798B37FB-D6B2-4791-8D9B-FAEB16AAB199}: NameServer = 85.255.113.116,85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D779137-9101-43BA-A83D-01D67495E2DF}: NameServer = 85.255.113.116,85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA956DA1-AACA-4754-88E8-33126BFCDFBD}: NameServer = 85.255.113.116,85.255.112.80
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.116 85.255.112.80
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.116 85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.116 85.255.112.80
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\System32\urlmon.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\ailui.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Awaiting your next instructions...thanks!!!

#4
Buckeye_Sam

Posted 17 October 2006 - 03:34 PM

Malware Expert

Member
10,019 posts

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{798B37FB-D6B2-4791-8D9B-FAEB16AAB199}: NameServer = 85.255.113.116,85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D779137-9101-43BA-A83D-01D67495E2DF}: NameServer = 85.255.113.116,85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA956DA1-AACA-4754-88E8-33126BFCDFBD}: NameServer = 85.255.113.116,85.255.112.80
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.116 85.255.112.80
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.116 85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.116 85.255.112.80

===========================

Now lets check some settings on your system.

Enter your Control Panel and double-click on Network Connections
Then right click on your Default Connection
- Usually Local Area Connection for Cable and DSL
Left click on Properties
Double-Click on the Internet Protocol (TCP/IP) item
Select the radio dial that says Obtain DNS Servers Automatically
Press OK twice to get out of the properties screen and reboot if it asks

Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

============================

Please download AVG Anti-Spyware and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware scan report along with a new hijackthis log.

#5
xylene507

Posted 17 October 2006 - 05:51 PM

New Member

Topic Starter
Member
8 posts

SCAN REPORT:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:36:34 PM 10/17/2006

+ Scan result:

HKLM\SOFTWARE\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-21-842925246-879983540-839522115-1003\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-21-842925246-879983540-839522115-1003\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-21-842925246-879983540-839522115-1003\Software\Internet Security -> Adware.IntCodec : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP586\A0073357.EXE -> Adware.MyWebSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP600\A0075514.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP600\A0075515.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP600\A0075520.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP611\A0077777.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP611\A0077900.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP614\A0078148.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bititu.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
HKU\S-1-5-21-842925246-879983540-839522115-1003\Software\RX Toolbar -> Adware.RXToolbar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP598\A0074234.dll -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP598\A0074170.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP611\A0077907.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temp\i39.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Local Settings\Temp\i7A.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Program Files\Common Files\misc002\DXC.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP598\A0074141.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP598\A0074247.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP611\A0078003.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP611\A0078004.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP611\A0078005.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP613\A0078028.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP600\A0075512.dll -> Adware.Webdir : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} -> Adware.WebDir : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP598\A0074258.exe -> Downloader.Adload.gf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP598\A0074250.exe -> Downloader.Adload.gg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP600\A0075518.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP598\A0074246.exe -> Downloader.Dyfuca.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP616\A0079503.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\WINDOWS\logon.exe -> Downloader.VB.fi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP600\A0075517.exe -> Dropper.SurfSide.a : Cleaned with backup (quarantined).
:mozilla.100:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.73:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.25:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.85:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.86:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.40:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.42:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.43:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.44:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.109:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.110:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.111:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.112:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.113:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.62:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.84:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.32:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.33:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.34:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.35:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.94:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.101:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.102:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.103:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.104:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.114:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.115:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.74:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.116:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.117:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.118:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.9:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.66:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.67:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.68:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.69:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.70:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.71:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.72:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\auo3gzy1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP616\A0078471.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP616\A0079471.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{20A6E07E-6D51-4732-A00C-C07FC8572162}\RP616\A0079484.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dmrke.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).

::Report end

HIJACKTHIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 7:43:59 PM, on 10/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {A6B2351A-A9AA-840D-8EBC-83DA1CBE3D97} - C:\WINDOWS\system32\bititu.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {A2B46443-A9A5-8653-8CBC-83DA1CBD6A9F} - C:\WINDOWS\system32\dxcege.dll (file missing)
O2 - BHO: (no name) - {A4B0FA6F-6F81-4D2B-F7DF-101340A8319F} - C:\WINDOWS\system32\rtgfzze.dll (file missing)
O2 - BHO: (no name) - {A6B2351A-A9AA-840D-8EBC-83DA1CBE3D97} - C:\WINDOWS\system32\bititu.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Dwtw] "C:\PROGRA~1\CROSOF~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [Jwrlrs] C:\Program Files\a?sembly\?hkdsk.exe
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe (file missing)
O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...bio5_3_16_0.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\ailui.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

#6
Buckeye_Sam

Posted 18 October 2006 - 01:58 PM

Malware Expert

Member
10,019 posts

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - URLSearchHook: (no name) - {A6B2351A-A9AA-840D-8EBC-83DA1CBE3D97} - C:\WINDOWS\system32\bititu.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {A2B46443-A9A5-8653-8CBC-83DA1CBD6A9F} - C:\WINDOWS\system32\dxcege.dll (file missing)
O2 - BHO: (no name) - {A4B0FA6F-6F81-4D2B-F7DF-101340A8319F} - C:\WINDOWS\system32\rtgfzze.dll (file missing)
O2 - BHO: (no name) - {A6B2351A-A9AA-840D-8EBC-83DA1CBE3D97} - C:\WINDOWS\system32\bititu.dll (file missing)
O4 - HKCU\..\Run: [Dwtw] "C:\PROGRA~1\CROSOF~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [Jwrlrs] C:\Program Files\a?sembly\?hkdsk.exe
O4 - HKCU\..\Run: [cprocsvc] C:\WINDOWS\system32\crunner\cproc.exe
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\ailui.dll (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

Reboot your computer.

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

#7
xylene507

Posted 18 October 2006 - 02:40 PM

New Member

Topic Starter
Member
8 posts

Here it is...

Owner - 06-10-18 16:26:32.87 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Owner\Application Data\Dxccwrd.dll
C:\Documents and Settings\Owner\Application Data\Dxcdmns.dll
C:\Documents and Settings\Owner\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Owner\Application Data\Dxcuknwrd.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Common Files\misc002

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Owner\Application Data\APPATC~1
C:\QooBox\Purity\Program Files\CROSOF~1
C:\QooBox\Purity\Program Files\Common Files\STEM~1
C:\QooBox\Purity\Program Files\CROSOF~1\??crosoft
C:\QooBox\Purity\WINDOWS\YMBOLS~1

((((((((((((((((((((((((((((((( Files Created from 2006-09-18 to 2006-10-18 ))))))))))))))))))))))))))))))))))

2006-10-17 18:20 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-17 14:59 51,775 --a------ C:\WINDOWS\system32\csykk.exe
2006-10-15 22:10 2 --a------ C:\WINDOWS\system32\wnsapisv.exe
2006-10-11 15:47 16,384 --a------ C:\WINDOWS\system32\FileOps.exe
2006-10-06 17:15 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2006-10-06 15:23 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-09-24 21:26 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2006-09-24 21:25 344,064 --a------ C:\WINDOWS\system32\Msvcr70.dll
2006-09-23 13:34 348,160 --a------ C:\WINDOWS\system32\axVideoConvert.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-18 16:29 -------- d-------- C:\Program Files\Common Files
2006-10-18 16:13 -------- d-------- C:\Program Files\HijackThis
2006-10-18 14:41 -------- d-------- C:\Program Files\SecondLife
2006-10-18 14:41 -------- d-------- C:\Documents and Settings\Owner\Application Data\SecondLife
2006-10-17 18:20 -------- d-------- C:\Program Files\Grisoft
2006-10-17 17:23 -------- d-------- C:\Program Files\Fixwareout
2006-10-17 14:57 -------- d-------- C:\Program Files\CCleaner
2006-10-17 14:39 -------- d-------- C:\Program Files\Windows Media Player
2006-10-17 03:04 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-15 14:26 12400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-10-13 15:07 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-13 13:31 -------- d--h----- C:\Program Files\Common Files\cloader
2006-10-12 18:07 -------- d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2006-10-12 14:45 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-10-11 20:29 -------- d-------- C:\Program Files\Macromedia
2006-10-11 19:32 -------- d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2006-10-11 19:29 -------- d-------- C:\Program Files\Common Files\Macromedia
2006-10-11 16:52 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-11 16:52 -------- d-------- C:\Program Files\Adobe
2006-10-11 16:02 -------- d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2006-10-11 15:51 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-10-06 17:48 -------- d-------- C:\Program Files\Symantec_Client_Security
2006-10-06 16:44 -------- d-------- C:\Program Files\ffdshow
2006-10-06 16:37 -------- d-------- C:\Program Files\MSN Messenger
2006-10-05 21:16 517 --a------ C:\Program Files\Common Files\howe
2006-09-26 21:01 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-09-26 20:33 -------- d-------- C:\Program Files\Microsoft SQL Server
2006-09-26 20:28 -------- d-------- C:\Program Files\Microsoft.NET
2006-09-24 15:58 -------- d-------- C:\Program Files\Messenger
2006-09-24 15:58 -------- d-------- C:\Program Files\DivX
2006-09-21 15:34 -------- d-------- C:\Program Files\LIVEUPDATE
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-11 01:19 -------- d-------- C:\Program Files\QuickTime
2006-09-07 21:56 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeAUM
2006-09-01 12:08 1334032 --a------ C:\WINDOWS\system32\msxml6.dll
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-20 15:49 317208 --a------ C:\Program Files\dxwebsetup.exe
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-28 09:30 62744 --a--c--- C:\WINDOWS\system32\xinput1_2.dll
2006-07-28 09:30 236824 --a--c--- C:\WINDOWS\system32\xactengine2_3.dll
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"BitComet"="\"C:\\Program Files\\BitComet\\BitComet.exe\""
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Symantec_Client_Security\\kyfevyma.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\MSN Messenger\\hocy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:5f,00,00,00
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Works Calendar Reminders.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "
"item"="Microsoft Works Calendar Reminders"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\180ax]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="180ax"
"hkey"="HKLM"
"command"="c:\\windows\\180ax.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdWare SpyWare Blocker and Removal]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdWare SpyWare Blocker and Removal"
"hkey"="HKCU"
"command"="C:\\Program Files\\AdWare SpyWare Blocker and Removal\\AdWare SpyWare Blocker and Removal.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FinePrint Dispatcher v5]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fpdisp5a"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fpdisp5a.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kvkvkhwz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kvkvkhwz"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\kvkvkhwz.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LXSUPMON"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\LXSUPMON.EXE RUN"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WksSb"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkUFind"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ImScInst"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSSProxy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ossproxy"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\ossproxy.exe -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SrchfstUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="srchupdt"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\srchupdt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tpcupdater]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="updatetc"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\updatetc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherEye]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WeatherEye"
"hkey"="HKCU"
"command"="C:\\program files\\TheWeatherNetwork\\WeatherEye\\WeatherEye"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wkfud"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZingSpooler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ZingSpooler"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Zing\\ZingSpooler.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-18 16:33:09.25
C:\ComboFix.txt ... 06-10-18 16:33

#8
Buckeye_Sam

Posted 18 October 2006 - 03:11 PM

Malware Expert

Member
10,019 posts

Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tpcupdater]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SrchfstUpdate]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSSProxy]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kvkvkhwz]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdWare SpyWare Blocker and Removal]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\180ax]

Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.

==============

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\MSN Messenger\hocy.html
C:\Program Files\Symantec_Client_Security\kyfevyma.html
C:\WINDOWS\system32\csykk.exe
C:\WINDOWS\system32\wnsapisv.exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.
After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
Post this log in your next reply.

=============

Now let's check your desktop settings.

Click Start -> Control Panel -> Display
Go to the Desktop tab and click on the Customize Desktop button.
Go to the Web tab
Select anything except "My Current Homepage" and then click the Delete button.

=============

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

#9
xylene507

Posted 19 October 2006 - 04:02 PM

New Member

Topic Starter
Member
8 posts

When I ran killbox, no PendingFileRenameOperations prompts occured. It just restarted my computer.

Here's the log:

Pocket Killbox version 2.0.0.881
Running on Windows XP as Owner(Administrator)
was started @ Tuesday, October 17, 2006, 2:43 PM

Killbox Closed(Exit) @ 2:44:20 PM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Owner(Administrator)
was started @ Thursday, October 19, 2006, 3:55 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\csykk.exe

# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\wnsapisv.exe

# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\csykk.exe

# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\wnsapisv.exe

I Rebooted @ 3:57:09 PM
Killbox Closed(Exit) @ 3:57:15 PM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Owner(Administrator)
was started @ Thursday, October 19, 2006, 4:05 PM

THE ACTIVE SCAN REPORT:

Incident Status Location

Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UDC6_0001_D19M1908NetInstaller.exe
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/topconvert Not disinfected Windows Registry
Potentially unwanted tool:application/need2find Not disinfected hkey_current_user\software\Need2Find
Adware:adware/abox Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner\Cookies\owner@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cassava[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Cookies\owner@com[1].txt
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\My Downloads\AntiPuper.exe[2?C]
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\HijackThis\backups\backup-20061017-181435-548.inf

HIJACKTHIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 6:02:51 PM, on 10/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\KillBox.exe
C:\WINDOWS\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe (file missing)
O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - C:\PROGRA~1\NetAnts\NetAnts.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab....geUploader4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...bio5_3_16_0.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

#10
Buckeye_Sam

Posted 19 October 2006 - 07:16 PM

Malware Expert

Member
10,019 posts

Use Killbox to delete these files.

c:\windows\downloaded program files\UDC6_0001_D19M1908NetInstaller.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Ssk.log

I see some signs of Norton in your log, but it doesn't appear to be running. Do you have Norton installed?

How is your computer running now? Are you still having any problems or issues?

#11
xylene507

Posted 20 October 2006 - 05:48 PM

New Member

Topic Starter
Member
8 posts

I do have Norton installed but that was a few years back. I don't normally use it because whenever i run it, it doesn't seem to be able to detect the viruses that my adaware program could.

I think my computer is running fine now. It's not slow anymore and it no longer redirects me to other pages. Thanks for all your help!!! :whistling:

#12
Buckeye_Sam

Posted 21 October 2006 - 03:55 PM

Malware Expert

Member
10,019 posts

You're welcome! :blink:

I would strongly recommend that you use some type of antivirus protection. If you are not happy with Norton, then you'd be better off to uninstall it completely and install another program. AVG offers an excellent free antivirus program.

Here's some other suggestions for you.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.