Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HJT log

Started by raucher1989 , Oct 19 2006 10:20 AM

  • This topic is locked This topic is locked

#16
raucher1989
Posted 29 October 2006 - 11:11 AM

raucher1989

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Fixwareout Log


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 12:09:45 PM, on 10/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\water.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{382F7B25-A939-4A93-B840-164DCDE901D1}: NameServer = 85.255.114.36 85.255.112.23
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks
  • 0

Advertisements

#17
Armodeluxe
Posted 30 October 2006 - 06:59 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Open HijackThis and click Scan. Put a check next to this:

O17 - HKLM\System\CCS\Services\Tcpip\..\{382F7B25-A939-4A93-B840-164DCDE901D1}: NameServer = 85.255.114.36 85.255.112.23

Close all other windows except HijackThis and click Fix Checked.

Use the computer normally for couple days and then post a new HijackThis log and a new combofix log to make sure nothing is coming back. If you experience any anomaly, then post right away instead of waiting couple days.
  • 0

#18
raucher1989
Posted 31 October 2006 - 10:33 AM

raucher1989

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
I am responding already because the internet just stopped working like it used to before. Also, there is a suspicious-looking file on my task manager called alg.exe.

ComboFix Log

Owner - 06-10-31 11:30:54.48 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-31 to 2006-10-31 ))))))))))))))))))))))))))))))))))


2006-10-24 05:49 14,208 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2006-10-06 14:49 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-31 11:25 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-31 11:25 -------- d-------- C:\Program Files\Common Files
2006-10-31 11:17 -------- d-------- C:\Program Files\GenoPro
2006-10-24 13:50 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-24 13:20 -------- d-------- C:\Documents and Settings\Owner\Application Data\WeatherBug
2006-10-24 05:49 -------- d-------- C:\Program Files\Lexmark X74-X75
2006-10-06 14:49 -------- d-------- C:\Program Files\Internet Explorer
2006-10-06 14:45 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sun
2006-10-06 14:41 -------- d-------- C:\Program Files\Java
2006-10-06 14:13 -------- d-------- C:\Program Files\Norton AntiVirus
2006-10-06 14:13 -------- d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-10-05 23:18 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-10-05 14:54 -------- d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2006-10-05 14:47 -------- d-------- C:\Program Files\QuickTime
2006-10-05 14:39 -------- d-------- C:\Program Files\Apple Software Update
2006-09-25 17:59 -------- d-------- C:\Program Files\MyWebSearchWB
2006-09-25 17:58 -------- d-------- C:\Program Files\AWS
2006-09-19 14:33 -------- d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2006-09-19 14:16 -------- d-------- C:\Program Files\Symantec
2006-09-15 22:52 91904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-09-15 22:52 124016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-09-07 13:35 -------- d-------- C:\Documents and Settings\Owner\Application Data\Real
2006-09-07 13:33 -------- d-------- C:\Program Files\Common Files\xing shared
2006-09-07 13:33 -------- d-------- C:\Program Files\Common Files\Real
2006-08-27 19:11 89088 --a------ C:\WINDOWS\system32\setup_31872.exe
2006-08-18 01:58 57344 --a------ C:\WINDOWS\uneng.exe
2006-08-18 01:38 45056 --a------ C:\WINDOWS\system32\PCTKRNT.SYS
2006-08-18 01:20 126976 --a------ C:\WINDOWS\system32\unzdll.dll
2006-08-18 01:02 0 -rahs---- C:\MSDOS.SYS
2006-08-18 01:02 0 -rahs---- C:\IO.SYS
2006-08-18 01:02 0 --a------ C:\CONFIG.SYS
2006-08-18 01:02 0 --a------ C:\AUTOEXEC.BAT
2006-08-17 19:55 62 --ahs---- C:\Documents and Settings\Owner\Application Data\desktop.ini
2006-08-04 10:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-04 10:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SFP"="C:\\Program Files\\Common Files\\Verizon Online\\SFP\\vzSFPWin.EXE /s"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PROMon.exe"="PROMon.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"GWMDMMSG"="GWMDMMSG.exe"
"GWMDMpi"="C:\\WINDOWS\\GWMDMpi.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"Lexmark X74-X75"="\"C:\\Program Files\\Lexmark X74-X75\\lxbbbmgr.exe\""
"Motive SmartBridge"="C:\\PROGRA~1\\VERIZO~1\\SUPPOR~1\\SMARTB~1\\MotiveSB.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-10-31 11:31:47.64
C:\ComboFix.txt ... 06-10-31 11:31
C:\ComboFix3.txt ... 06-10-26 14:59

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 11:33:24 AM, on 10/31/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\water.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{291772FA-81F2-468B-A9A7-DA2EAD895494}: NameServer = 85.255.113.132,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{382F7B25-A939-4A93-B840-164DCDE901D1}: NameServer = 85.255.113.132 85.255.112.84
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.132 85.255.112.84
O17 - HKLM\System\CS1\Services\Tcpip\..\{291772FA-81F2-468B-A9A7-DA2EAD895494}: NameServer = 85.255.113.132,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.132 85.255.112.84
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Thanks
  • 0

#19
Armodeluxe
Posted 01 November 2006 - 07:30 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Delete this file:

C:\WINDOWS\system32\setup_31872.exe

Run Fixwareout again.

Then open HijackThis and click Scan. Put a check next to these:

O17 - HKLM\System\CCS\Services\Tcpip\..\{291772FA-81F2-468B-A9A7-DA2EAD895494}: NameServer = 85.255.113.132,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{382F7B25-A939-4A93-B840-164DCDE901D1}: NameServer = 85.255.113.132 85.255.112.84
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.132 85.255.112.84
O17 - HKLM\System\CS1\Services\Tcpip\..\{291772FA-81F2-468B-A9A7-DA2EAD895494}: NameServer = 85.255.113.132,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.132 85.255.112.84


Close all other windows except HijackThis and click Fix Checked.

In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems


Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Then post a new HijackThis log and the Fixwareout log.
  • 0

#20
raucher1989
Posted 01 November 2006 - 01:43 PM

raucher1989

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 2:42:03 PM, on 11/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\water.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Fixwareout Log

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EC01945D6872-3928-18D4-C743-5AC96208{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DFFE57FA6567-DBF8-A794-E8D8-7708DF5D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\irkmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmkri.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSMWS.EXE 51,760 2006-10-31
C:\WINDOWS\SYSTEM32\DMNNC.EXE 60,942 2002-09-03

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

Thanks
  • 0

#21
Armodeluxe
Posted 02 November 2006 - 06:41 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Delete these files:

C:\WINDOWS\SYSTEM32\CSMWS.EXE
C:\WINDOWS\SYSTEM32\DMNNC.EXE

I want to take a deeper look at the system. Please post the following log, but the log will be too big to paste, so attach it to the post.

Also, please download SREng
http://www.kztechs.c...reng/sreng2.zip

Extract it to Desktop and double click SREng.exe to run it.
Select: Smart Scan and click on the [Scan] button.

It may take a long while to finish and even at some points the progress bar may stop, but it will be continuing the scan, be patient.

When finished, click on the Save Reports button and save the log to Desktop

Please post the SREng log in your reply.
  • 0

#22
raucher1989
Posted 02 November 2006 - 12:24 PM

raucher1989

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
The SREngLOG didn't take long at all. But here it is...

SREngLOG

2006-11-02,13:20:08

System Repair Engineer 2.2.6.605
Smallfrogs (http://www.KZTechs.com)

Windows XP Home Edition Service Pack 1 (Build 2600)
- Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
All Boot Items (Including Registry, Startup Folders, Services and so on)
Browser Add-ons
Runing Processes (Including process model information)
File Associations
Winsock Provider
Autorun.Inf
HOSTS File


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<SFP><C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s> [Verizon Internet Solutions]
<msnmsgr><"C:\Program Files\MSN Messenger\msnmsgr.exe" /background> [(Verified)Microsoft Corporation]
<AIM><C:\Program Files\AIM\aim.exe -cnetwait.odl> [(Verified)America Online, Inc.]
<Weather><C:\Program Files\AWS\WeatherBug\Weather.exe 1> [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<PROMon.exe><PROMon.exe> [N/A]
<IgfxTray><C:\WINDOWS\System32\igfxtray.exe> [(Verified)Intel Corporation]
<HotKeysCmds><C:\WINDOWS\System32\hkcmd.exe> [(Verified)Intel Corporation]
<GWMDMMSG><GWMDMMSG.exe> [(Verified)GTW]
<GWMDMpi><C:\WINDOWS\GWMDMpi.exe> [N/A]
<ccApp><C:\Program Files\Common Files\Symantec Shared\ccApp.exe> [(Verified)Symantec Corporation]
<ccRegVfy><C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe> [(Verified)Symantec Corporation]
<AdaptecDirectCD><"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"> [Roxio]
<Lexmark X74-X75><"C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"> [Lexmark International, Inc.]
<Motive SmartBridge><C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe> [Motive Communications, Inc.]
<SunJavaUpdateSched><C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe> [Sun Microsystems, Inc.]
<Symantec NetDriver Monitor><C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer> [(Verified)Symantec Corporation]
<SSC_UserPrompt><C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe> [(Verified)Symantec Corporation]
<TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot> [RealNetworks, Inc.]
<QuickTime Task><"C:\Program Files\QuickTime\qttask.exe" -atboottime> [Apple Computer, Inc.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Corporation]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{57B86673-276A-48B2-BAE7-C6DBB3020EB8}><C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll> [Anti-Malware Development a.s.]

==================================
Startup Folders
[Verizon Online Support Center]
<C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk --> C:\PROGRA~1\VERIZO~1\SUPPOR~1\bin\matcli.exe [Motive Communications, Inc.]><N>

==================================
Services
[Application Management / AppMgmt]
<C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\appmgmts.dll><N/A>
[Symantec Event Manager / ccEvtMgr]
<C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe><Symantec Corporation>
[Symantec Password Validation Service / ccPwdSvc]
<C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe><Symantec Corporation>
[ewido anti-spyware 4.0 guard / ewido anti-spyware 4.0 guard]
<C:\Program Files\ewido anti-spyware 4.0\guard.exe><Anti-Malware Development a.s.>
[Human Interface Device Access / HidServ]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[ipv7 / ipv7]
<"C:\WINDOWS\ipv7.exe"><N/A>
[LexBce Server / LexBceS]
<C:\WINDOWS\system32\LEXBCES.EXE><Lexmark International, Inc.>
[Norton AntiVirus Auto Protect Service / navapsvc]
<"C:\Program Files\Norton AntiVirus\navapsvc.exe"><Symantec Corporation>
[Intel® NMS / NMSSvc]
<C:\WINDOWS\System32\NMSSvc.exe><Intel Corporation>
[PictureTaker / PictureTaker]
<C:\WINDOWS\System32\PCTKRNT.SYS><LANovation>
[PrismXL / PrismXL]
<C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS><Lanovation>
[ScriptBlocking Service / SBService]
<C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe><Symantec Corporation>
[Symantec Network Drivers Service / SNDSrvc]
<C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe><Symantec Corporation>
[SymWMI Service / SymWSC]
<C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe><Symantec Corporation>

==================================
Drivers
[BCM V.90 56K Modem / BCMModem]
<System32\DRIVERS\BCMDM.sys><BCM>
[Cdr4_xp / Cdr4_xp]
<C:\WINDOWS\SYSTEM32\DRIVERS\Cdr4_xp.SYS><Roxio>
[Cdralw2k / Cdralw2k]
<C:\WINDOWS\SYSTEM32\DRIVERS\Cdralw2k.SYS><Roxio>
[cdudf_xp / cdudf_xp]
<C:\WINDOWS\SYSTEM32\DRIVERS\cdudf_xp.SYS><Roxio>
[dvd_2K / dvd_2K]
<C:\WINDOWS\SYSTEM32\DRIVERS\dvd_2K.SYS><Roxio>
[Intel® PRO Adapter Driver / E100B]
<System32\DRIVERS\e100b325.sys><Intel Corporation>
[ewido anti-spyware 4.0 driver / ewido anti-spyware 4.0 driver]
<\??\C:\Program Files\ewido anti-spyware 4.0\guard.sys><N/A>
[GTW V.92 Voicemodem / GTWModem]
<System32\DRIVERS\GWMDM.sys><GTW>
[ialm / ialm]
<System32\DRIVERS\ialmnt5.sys><Intel Corporation>
[iscFlash / iscFlash]
<\??\C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys><N/A>
[mmc_2K / mmc_2K]
<C:\WINDOWS\SYSTEM32\DRIVERS\mmc_2K.SYS><Roxio>
[msdirectxclick / msdirectxclick]
<\??\C:\Documents and Settings\Owner\msdirectxclk.sys><N/A>
[NAVENG / NAVENG]
<\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20061101.019\NAVENG.Sys><Symantec Corporation>
[NAVEX15 / NAVEX15]
<\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20061101.019\NavEx15.Sys><Symantec Corporation>
[Pcdr Helper Driver / PCDRDRV]
<\??\C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys><N/A>
[PcdrNt / PcdrNt]
<\SystemRoot\System32\drivers\PcdrNt.sys><PC-Doctor Inc.>
[Direct Parallel Link Driver / Ptilink]
<System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[pwd_2k / pwd_2k]
<C:\WINDOWS\SYSTEM32\DRIVERS\pwd_2k.SYS><Roxio>
[PxHelp20 / PxHelp20]
<\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[SAVRT / SAVRT]
<\??\C:\WINDOWS\System32\Drivers\SAVRT.SYS><Symantec Corporation>
[SAVRTPEL / SAVRTPEL]
<\??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS><Symantec Corporation>
[Secdrv / Secdrv]
<System32\DRIVERS\secdrv.sys><N/A>
[smwdm / smwdm]
<system32\drivers\smwdm.sys><Analog Devices, Inc.>
[SymEvent / SymEvent]
<\??\C:\Program Files\Symantec\SYMEVENT.SYS><Symantec Corporation>
[SYMREDRV / SYMREDRV]
<\SystemRoot\System32\Drivers\SYMREDRV.SYS><Symantec Corporation>
[SYMTDI / SYMTDI]
<\SystemRoot\System32\Drivers\SYMTDI.SYS><Symantec Corporation>
[tmcomm / tmcomm]
<\??\C:\WINDOWS\System32\drivers\tmcomm.sys><Trend Micro Inc.>
[UdfReadr_xp / UdfReadr_xp]
<C:\WINDOWS\SYSTEM32\DRIVERS\UdfReadr_xp.SYS><Roxio>

==================================
Browser Add-ons
[]
{53707962-6F74-2D53-2644-206D7942484F} <C:\PROGRA~1\SPYBOT~1\SDHelper.dll, Safer Networking Limited>
[SSVHelper Class]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} <C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll, Sun Microsystems, Inc.>
[AIM]
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} <C:\Program Files\AIM\aim.exe, America Online, Inc.>
[Real.com]
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} <C:\WINDOWS\System32\Shdocvw.dll, Microsoft Corporation>
[Norton AntiVirus]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} <C:\Program Files\Norton AntiVirus\NavShExt.dll, Symantec Corporation>
[&Radio]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, N/A>
[CKAVWebScan Object]
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} <C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll, Kaspersky Lab>
[DoMoreRunExe.DoMoreRun]
{0F04992B-E661-4DB9-B223-903AB628225D} <C:\WINDOWS\Downloaded Program Files\DoMoreRunExe.ocx, N/A>
[RunExeActiveX.RunExe]
{739E8D90-2F4C-43AD-A1B8-66C356FCEA35} <C:\WINDOWS\Downloaded Program Files\RunExeActiveX.ocx, Gateway Inc.>
[Java Plug-in]
{8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll, Sun Microsystems, Inc.>
[StartFirstControl.CheckFirst]
{99CDFD87-F97A-42E1-9C13-D18220D90AD1} <C:\WINDOWS\Downloaded Program Files\CONFLICT.1\StartFirstControl.ocx, gateway>
[Java Plug-in]
{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in]
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.5.0_06]
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll, Sun Microsystems, Inc.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9.ocx, Adobe Systems, Inc.>

==================================
Running Processes
[PID: 464][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]
[C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll] [Anti-Malware Development a.s., 4, 0, 0, 172]
[PID: 536][C:\WINDOWS\System32\igfxtray.exe] [Intel Corporation, 3,0,0,1607]
[C:\WINDOWS\System32\hccutils.DLL] [Intel Corporation, 3,0,0,1607]
[C:\WINDOWS\System32\igfxdev.dll] [Intel Corporation, 3,0,0,1607]
[C:\WINDOWS\System32\igfxsrvc.dll] [Intel Corporation, 3,0,0,1607]
[C:\WINDOWS\System32\igfxres.dll] [Intel Corporation, 3,0,0,1607]
[C:\WINDOWS\System32\igfxress.dll] [Intel Corporation, 3,0,0,1607]
[PID: 544][C:\WINDOWS\System32\hkcmd.exe] [Intel Corporation, 3,0,0,1607]
[C:\WINDOWS\System32\hccutils.DLL] [Intel Corporation, 3,0,0,1607]
[C:\WINDOWS\System32\igfxdev.dll] [Intel Corporation, 3,0,0,1607]
[C:\WINDOWS\System32\igfxsrvc.dll] [Intel Corporation, 3,0,0,1607]
[C:\WINDOWS\System32\igfxhk.dll] [Intel Corporation, 3,0,0,1607]
[C:\WINDOWS\System32\igfxres.dll] [Intel Corporation, 3,0,0,1607]
[PID: 552][C:\WINDOWS\GWMDMMSG.exe] [GTW, 3.4.22 08/06/2002 14:26:16]
[PID: 584][C:\Program Files\Common Files\Symantec Shared\ccApp.exe] [Symantec Corporation, 1.00.104]
[C:\WINDOWS\System32\SYMSTORE.dll] [Symantec Corporation, 4.7.2.15]
[C:\PROGRA~1\COMMON~1\SYMANT~1\CCEMLPXY.DLL] [Symantec Corporation, 1.00.104]
[C:\WINDOWS\System32\SYMREDIR.dll] [Symantec Corporation, 5.5.1.6]
[C:\PROGRA~1\COMMON~1\SYMANT~1\ccErrDsp.DLL] [Symantec Corporation, 1.00.104]
[C:\PROGRA~1\COMMON~1\SYMANT~1\CCREGMON.DLL] [Symantec Corporation, 1.00.104]
[C:\PROGRA~1\COMMON~1\SYMANT~1\ccEvt.DLL] [Symantec Corporation, 1.00.104]
[C:\WINDOWS\System32\ccTrust.dll] [Symantec Corporation, 1.00.22]
[C:\PROGRA~1\NORTON~1\CCIMSCAN.DLL] [Symantec Corporation, 9.20.1006]
[C:\PROGRA~1\NORTON~1\DEFALERT.DLL] [Symantec Corporation, 9.20.3]
[C:\PROGRA~1\NORTON~1\NAVAPW32.DLL] [Symantec Corporation, 9.05.1015]
[C:\WINDOWS\System32\ccPasswd.DLL] [Symantec Corporation, 1.00.104]
[C:\PROGRA~1\NORTON~1\apwutil.dll] [Symantec Corporation, 9.05.1015]
[C:\PROGRA~1\NORTON~1\SavRT32.dll] [Symantec Corporation, 9.0.1.36]
[C:\Program Files\Norton AntiVirus\apwcmdnt.dll] [Symantec Corporation, 9.05.1015]
[C:\Program Files\Norton AntiVirus\NavEmail.dll] [Symantec Corporation, 9.05.1015]
[PID: 616][C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe] [Roxio, 5.3.0.105]
[C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\CDUDFLIB.dll] [Roxio, 5.3.0.105]
[C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\UDFRWLIB.dll] [Roxio, 5.3.0.105]
[C:\WINDOWS\System32\CDRTC.DLL] [Roxio, 5.3.0.105]
[C:\WINDOWS\System32\cdral.DLL] [Roxio, 5.3.0.105]
[PID: 720][C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe] [Motive Communications, Inc., 05.00.00.asst_classic.smartbridge.20020518_104000]
[C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\SBHook.dll] [Motive Communications, Inc., 05.00.00.asst_classic.smartbridge.20020518_104000]
[C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\httpclient50.dll] [Motive Communications, Inc., 1.04.00]
[C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\clientutil50.dll] [Motive Communications, Inc., 1.04.00]
[C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\SBRes.dll] [Motive Communications, Inc., 05.00.00.asst_classic.smartbridge.20020518_104000]
[C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\alertfilter.dll] [Motive Communications, Inc., 05.00.00.asst_classic.smartbridge.20020518_104000]
[PID: 892][C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe] [Sun Microsystems, Inc., 5.0.60.5]
[PID: 1100][C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe] [Symantec Corporation, 2005.1.2.20]
[PID: 1164][C:\Program Files\Common Files\Real\Update_OB\realsched.exe] [RealNetworks, Inc., 0.1.0.3510]
[PID: 3812][C:\Program Files\Internet Explorer\IEXPLORE.EXE] [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]
[C:\PROGRA~1\SPYBOT~1\SDHelper.dll] [Safer Networking Limited, 1, 4, 0, 0]
[C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll] [Sun Microsystems, Inc., 5.0.60.5]
[C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll] [Symantec Corporation, 1, 1, 0, 126]
[C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll] [Symantec Corporation, 1, 1, 0, 126]
[C:\WINDOWS\System32\Macromed\Flash\Flash9.ocx] [Adobe Systems, Inc., 9,0,16,0]
[PID: 760][C:\Program Files\Messenger\msmsgs.exe] [Microsoft Corporation, 4.7.0041]
[C:\WINDOWS\System32\quartz.dll] [N/A, N/A]
[C:\WINDOWS\System32\devenum.dll] [N/A, N/A]
[C:\WINDOWS\System32\msdmo.dll] [N/A, N/A]
[PID: 3564][C:\Documents and Settings\Owner\Desktop\sreng2\SREng\SREng.exe] [Smallfrogs Studio, 2.2.6.605]

==================================
File Associations
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
127.0.0.1 localhost
127.0.0.1 localhost
127.0.0.1 localhost
127.0.0.1 localhost

==================================
  • 0

#23
Armodeluxe
Posted 03 November 2006 - 07:32 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Go to Start > Run and copy/paste the following lines one by one into the Run box, clicking OK after pasting each line.

sc stop ipv7
sc delete ipv7
sc stop msdirectxclick
sc delete msdirectxclick

Then reboot.

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Then delete this file if it exists. Let me know if it exists but you can't delete it.

C:\Documents and Settings\Owner\msdirectxclk.sys

Again, wait a couple days then post a new HijackThis log and a new combofix log.
  • 0

#24
raucher1989
Posted 03 November 2006 - 06:26 PM

raucher1989

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
msdirectxclk.sys does not exist.
I'll check back in a couple of days....Thanks
  • 0

#25
Armodeluxe
Posted 05 November 2006 - 05:54 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Ok, I'll be waiting. :whistling:
  • 0

Advertisements

#26
raucher1989
Posted 08 November 2006 - 01:19 PM

raucher1989

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
ComboFix Log

Owner - 06-11-08 14:12:53.04 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-08 to 2006-11-08 ))))))))))))))))))))))))))))))))))


2006-11-07 02:01 705 --a------ C:\WINDOWS\system32\{20B2E246-89E8-46FF-9825-CF6E35CA184F}.exe
2006-10-24 05:49 14,208 --a------ C:\WINDOWS\system32\drivers\usbscan.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-08 13:38 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-08 13:38 -------- d-------- C:\Program Files\Common Files
2006-11-07 02:01 705 --a------ C:\WINDOWS\system32\{20B2E246-89E8-46FF-9825-CF6E35CA184F}.exe
2006-11-04 01:41 -------- d-------- C:\Documents and Settings\Owner\Application Data\WeatherBug
2006-10-31 11:45 -------- d-------- C:\Program Files\GenoPro Beta
2006-10-31 11:43 -------- d-------- C:\Program Files\GenoPro
2006-10-24 13:50 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-24 05:49 -------- d-------- C:\Program Files\Lexmark X74-X75
2006-10-06 14:49 -------- d-------- C:\Program Files\Internet Explorer
2006-10-06 14:46 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-06 14:45 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sun
2006-10-06 14:41 -------- d-------- C:\Program Files\Java
2006-10-06 14:13 -------- d-------- C:\Program Files\Norton AntiVirus
2006-10-06 14:13 -------- d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-10-05 23:18 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-10-05 14:54 -------- d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2006-10-05 14:47 -------- d-------- C:\Program Files\QuickTime
2006-10-05 14:39 -------- d-------- C:\Program Files\Apple Software Update
2006-09-25 17:59 -------- d-------- C:\Program Files\MyWebSearchWB
2006-09-25 17:58 -------- d-------- C:\Program Files\AWS
2006-09-19 14:33 -------- d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2006-09-19 14:16 -------- d-------- C:\Program Files\Symantec
2006-09-15 22:52 91904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-09-15 22:52 124016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-08-18 01:58 57344 --a------ C:\WINDOWS\uneng.exe
2006-08-18 01:38 45056 --a------ C:\WINDOWS\system32\PCTKRNT.SYS
2006-08-18 01:20 126976 --a------ C:\WINDOWS\system32\unzdll.dll
2006-08-18 01:02 0 -rahs---- C:\MSDOS.SYS
2006-08-18 01:02 0 -rahs---- C:\IO.SYS
2006-08-18 01:02 0 --a------ C:\CONFIG.SYS
2006-08-18 01:02 0 --a------ C:\AUTOEXEC.BAT
2006-08-17 19:55 62 --ahs---- C:\Documents and Settings\Owner\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SFP"="C:\\Program Files\\Common Files\\Verizon Online\\SFP\\vzSFPWin.EXE /s"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PROMon.exe"="PROMon.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"GWMDMMSG"="GWMDMMSG.exe"
"GWMDMpi"="C:\\WINDOWS\\GWMDMpi.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"Lexmark X74-X75"="\"C:\\Program Files\\Lexmark X74-X75\\lxbbbmgr.exe\""
"Motive SmartBridge"="C:\\PROGRA~1\\VERIZO~1\\SUPPOR~1\\SMARTB~1\\MotiveSB.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-08 14:13:37.12
C:\ComboFix.txt ... 06-11-08 14:13
C:\ComboFix2.txt ... 06-10-31 11:31
C:\ComboFix3.txt ... 06-10-31 11:22

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 2:16:21 PM, on 11/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Owner\Desktop\water.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{291772FA-81F2-468B-A9A7-DA2EAD895494}: NameServer = 85.255.116.82,85.255.112.117
O17 - HKLM\System\CCS\Services\Tcpip\..\{382F7B25-A939-4A93-B840-164DCDE901D1}: NameServer = 85.255.116.82 85.255.112.117
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.82 85.255.112.117
O17 - HKLM\System\CS1\Services\Tcpip\..\{291772FA-81F2-468B-A9A7-DA2EAD895494}: NameServer = 85.255.116.82,85.255.112.117
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.82 85.255.112.117
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe

I also have a question about cmd.exe. When I am on the computer about 20 minutes or more, two cmd.exe traces show up on the task manager as running processes, and then the computer freezes.

Thanks
  • 0

#27
Armodeluxe
Posted 08 November 2006 - 04:04 PM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
You got reinfected again. Either you're constantly visiting bad sites, or there is something on your computer that the scanners can't detect, in which case a reformat will be the only solution. Let's clean up one last time. Delete the old version of SDFix if you still have it.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

  • 0

#28
raucher1989
Posted 09 November 2006 - 01:39 PM

raucher1989

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Report.txt

SDFix: Version 1.36
-------------------

Scan run on:
Thu 11/09/2006

Time:
02:31 PM

Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Owner\Desktop\SDFix

Stage One...

Checking Services...

Name:
-----
WINLOGON

Path:
----
"C:\WINDOWS\system\winlogon.exe"

WINLOGON Deleted...

Repairing Registry...


Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------

C:\WINDOWS\system\winlogon.exe
C:\WINDOWS\system32\i

Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Files:
------


Any files removed are saved to the SDFix\backups Folder

FINISHED

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 2:38:40 PM, on 11/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\water.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{291772FA-81F2-468B-A9A7-DA2EAD895494}: NameServer = 85.255.116.82,85.255.112.117
O17 - HKLM\System\CCS\Services\Tcpip\..\{382F7B25-A939-4A93-B840-164DCDE901D1}: NameServer = 85.255.116.82 85.255.112.117
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.82 85.255.112.117
O17 - HKLM\System\CS1\Services\Tcpip\..\{291772FA-81F2-468B-A9A7-DA2EAD895494}: NameServer = 85.255.116.82,85.255.112.117
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.82 85.255.112.117
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks
  • 0

#29
Armodeluxe
Posted 10 November 2006 - 06:22 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Ok, run Fixwareout again and fix these entries in HijackThis:

O17 - HKLM\System\CCS\Services\Tcpip\..\{291772FA-81F2-468B-A9A7-DA2EAD895494}: NameServer = 85.255.116.82,85.255.112.117
O17 - HKLM\System\CCS\Services\Tcpip\..\{382F7B25-A939-4A93-B840-164DCDE901D1}: NameServer = 85.255.116.82 85.255.112.117
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.82 85.255.112.117
O17 - HKLM\System\CS1\Services\Tcpip\..\{291772FA-81F2-468B-A9A7-DA2EAD895494}: NameServer = 85.255.116.82,85.255.112.117
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.82 85.255.112.117

Then post:
a new HijackThis log
a new combofix log
a new SREng log

Make seperate posts for the logs.
  • 0

#30
raucher1989
Posted 10 November 2006 - 11:05 AM

raucher1989

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 12:04:47 PM, on 11/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\vzNetSvc.exe
C:\Documents and Settings\Owner\Desktop\water.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP