Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Diagnose Me!

Started by imafool4u , Dec 16 2006 02:28 PM

  • Please log in to reply

#1
imafool4u
Posted 16 December 2006 - 02:28 PM

imafool4u

    Member

  • Member
  • PipPip
  • 95 posts
I suppose it's time for my regular checkup...I've had a few minor problems with my computer and maybe a HijackThis log can shed some light on what going around.

Logfile of HijackThis v1.99.1
Scan saved at 3:25:34 PM, on 12/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\DAEMON Tools\daemon.exe
H:\WINDOWS\Mixer.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
H:\Program Files\D-Link\AirPlus G\AirGCFG.exe
H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
H:\Program Files\CursorXP\CursorXP.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
H:\Documents and Settings\Fool\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 194.199.90.1:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [MSConfig] H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [DAEMON Tools] "H:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] H:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [CursorXP] H:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [AIM] H:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: PowerReg Scheduler.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - H:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - H:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - H:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://uproar.com/ap...pside_web18.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{29B39846-0902-49E5-B96A-2F1FC54E9A72}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F8434A1-FBD0-4387-AF18-9E48552D25E7}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\..\{B12CE733-24EF-4459-ADEE-FC4A03431044}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104
O17 - HKLM\System\CS1\Services\Tcpip\..\{29B39846-0902-49E5-B96A-2F1FC54E9A72}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CS1\Services\Tcpip\..\{7DF48417-8F9B-4887-B03E-54725AE054FE}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CS1\Services\Tcpip\..\{97EB9257-3A92-48F0-880D-6FA5C3697DC4}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CS1\Services\Tcpip\..\{B12CE733-24EF-4459-ADEE-FC4A03431044}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CS1\Services\Tcpip\..\{BB6F1781-8F9B-48E1-8685-66E61E10C7EC}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CS1\Services\Tcpip\..\{DF3359EA-4E47-4E1F-A0CB-1953CB319DB4}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104
O17 - HKLM\System\CS2\Services\Tcpip\..\{29B39846-0902-49E5-B96A-2F1FC54E9A72}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104
O17 - HKLM\System\CS3\Services\Tcpip\..\{29B39846-0902-49E5-B96A-2F1FC54E9A72}: NameServer = 85.255.116.26,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - H:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "H:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll,wbsys.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - H:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - H:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - H:\WINDOWS\system32\UAService7.exe (file missing)
  • 0

Advertisements

#2
Flrman1
Posted 16 December 2006 - 02:42 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
I'm looking at your log now. I'll reply soon.
  • 0

#3
Flrman1
Posted 16 December 2006 - 02:52 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* Click here to download Fixwareout.exe and save it to your desktop.

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Run Fixwareout:
  • Doubleclick on the Fixwareout.exe file to run it.
  • Click Next, then Install, then make sure "Run fixit" is checked and click Finish.
  • The fix will begin. Follow the prompts.
  • You will be asked to reboot your computer, please do so.
  • Your system may take longer than usual to load, this is normal.
  • When your system reboots, a text file will open called report.txt.
  • Close the report.txt file. It has been saved already.
  • Open Hijack This and click on the "Do a System Scan Only" button.
  • In Hijack This, put a check by the following entries:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{29B39846-0902-49E5-B96A-2F1FC54E9A72}: NameServer = 85.255.116.26,85.255.112.104

    O17 - HKLM\System\CCS\Services\Tcpip\..\{4F8434A1-FBD0-4387-AF18-9E48552D25E7}: NameServer = 85.255.116.26,85.255.112.104

    O17 - HKLM\System\CCS\Services\Tcpip\..\{B12CE733-24EF-4459-ADEE-FC4A03431044}: NameServer = 85.255.116.26,85.255.112.104

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104

    O17 - HKLM\System\CS1\Services\Tcpip\..\{29B39846-0902-49E5-B96A-2F1FC54E9A72}: NameServer = 85.255.116.26,85.255.112.104

    O17 - HKLM\System\CS1\Services\Tcpip\..\{7DF48417-8F9B-4887-B03E-54725AE054FE}: NameServer = 85.255.116.26,85.255.112.104

    O17 - HKLM\System\CS1\Services\Tcpip\..\{97EB9257-3A92-48F0-880D-6FA5C3697DC4}: NameServer = 85.255.116.26,85.255.112.104

    O17 - HKLM\System\CS1\Services\Tcpip\..\{B12CE733-24EF-4459-ADEE-FC4A03431044}: NameServer = 85.255.116.26,85.255.112.104

    O17 - HKLM\System\CS1\Services\Tcpip\..\{BB6F1781-8F9B-48E1-8685-66E61E10C7EC}: NameServer = 85.255.116.26,85.255.112.104

    O17 - HKLM\System\CS1\Services\Tcpip\..\{DF3359EA-4E47-4E1F-A0CB-1953CB319DB4}: NameServer = 85.255.116.26,85.255.112.104

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104

    O17 - HKLM\System\CS2\Services\Tcpip\..\{29B39846-0902-49E5-B96A-2F1FC54E9A72}: NameServer = 85.255.116.26,85.255.112.104

    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104

    O17 - HKLM\System\CS3\Services\Tcpip\..\{29B39846-0902-49E5-B96A-2F1FC54E9A72}: NameServer = 85.255.116.26,85.255.112.104

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.26 85.255.112.104

  • After checking each of those entries in Hijack This, click the "Fix Checked" button then exit Hijack This.

* Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .

CAUTION!: It is possible that your Internet Service Provider requires specific settings here. Make sure you know if you need specific DNS settings here or not before you proceed to make the following changes or you may lose your internet connection. If you are sure you do not need a specific DNS address here, you may proceed.
  • Double-click the Network Connections icon
  • Right-click the Local Area Connection icon and select Properties.
  • Hilight Internet Protocol (TCP/IP) and click the Properties button.
  • Be sure Obtain DNS server address automatically is selected.
  • OK your way out.

* Go to Start > Run and type in cmd
  • Click OK.
  • This will open a command prompt.
  • Type or copy and paste the following line in the command window:

    ipconfig /flushdns

  • Hit Enter
  • Exit the command window


* Restart your computer.


* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.


* Go to your C drive and find the fixwareout folder. Open the Report.txt file. Copy and paste the contents of Report.txt here along with a new HiJackThis log and The Uninstall list.
  • 0

#4
imafool4u
Posted 16 December 2006 - 03:42 PM

imafool4u

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Santa's here with a fresh HijackThis log, uninstall list, and report.txt :whistling:

Logfile of HijackThis v1.99.1
Scan saved at 4:40:53 PM, on 12/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\DAEMON Tools\daemon.exe
H:\WINDOWS\Mixer.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
H:\Program Files\D-Link\AirPlus G\AirGCFG.exe
H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
H:\Program Files\CursorXP\CursorXP.exe
H:\Program Files\AIM\aim.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\system32\notepad.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Documents and Settings\Fool\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 194.199.90.1:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [MSConfig] H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [DAEMON Tools] "H:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] H:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [CursorXP] H:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [AIM] H:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: PowerReg Scheduler.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - H:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://uproar.com/ap...pside_web18.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - H:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "H:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll,wbsys.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - H:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - H:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - H:\WINDOWS\system32\UAService7.exe (file missing)


Fixwareout
Last edited 12/06/2006
Post this report in the forums please
...
Prerun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="csdnk.exe"

...
...
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5BBDFE7A359D-009B-C2E4-DBC2-C906B615{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Random Runs removed from HKLM
...
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
H:\WINDOWS\SYSTEM32\CSKNN.EXE 51,794 2006-09-26

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.
...
Postrun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

...


AccessDiver v4.241+
Adobe Photoshop 7.0
Adobe Reader 7.0.5
Adobe Shockwave Player
Agere Systems PCI Soft Modem
AirPlus G
ANIO Service
ANIWZCS2 Service
AOL Instant Messenger
Azureus
Blink182 - Wizard
BlueJ 2.1.3
Cain & Abel v2.9
CCleaner (remove only)
Cheat Engine 5.2
Command & Conquer Red Alert 2
CursorXP
Eragon
GMail Drive Shell Extension
Gun Metal
Hide IP Platinum 2.82
HijackThis 1.99.1
Homeworld2
Internet Explorer 7 Beta 2 Preview
Ipswitch WS_FTP LE
J2SE Development Kit 5.0 Update 9
J2SE Runtime Environment 5.0 Update 9
K-Lite Codec Pack 2.76 Full
LimeWire PRO 4.11.0
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash Player 8
Messenger Plus! 3
Microsoft .NET Framework 2.0
Microsoft Halo
Microsoft Office XP Professional with FrontPage
Microsoft Platform SDK (3790.1830)
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Web Publishing Wizard 1.53
mIRC
Mozilla Firefox (1.5.0.8)
Mozilla Thunderbird (1.5.0.8)
MSN Messenger 7.5
MSXML 4.0 SP2 Parser and SDK
Network Stumbler 0.4.0 (remove only)
NVIDIA Drivers
Opera 9.01
Oregon Trail 5
PCI Audio Driver
Project64 1.6
Proxy Finder Enterprise Edition
RapidLeecher
Realtek AC'97 Audio
Riva FLV Encoder 2.0
RKAutominer 2
Rome - Total War™
SCAR CDE 2.03
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB920683)
Spybot - Search & Destroy 1.4
Star Wars Battlefront II
Star Wars® Knights of the Old Republic® II: The Sith Lords™
SwiftSwitch
Tom Clancy's Rainbow Six 3: Raven Shield
TreeSize Free V1.78
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
VideoLAN VLC media player 0.8.5
Westwood Shared Internet Components
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinPcap 3.1
WinRAR archiver
WWE RAW
Xfire (remove only)
Yahoo! Messenger
  • 0

#5
Flrman1
Posted 16 December 2006 - 06:34 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* The uninstall list looks fine. :whistling:

* Copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* I am attaching a servicefix.zip file to this post. Download it and save it to your desktop. Unzip it to extract the servicefix.bat file it contains.

Doubleclick on the servicefix.bat file to run it. A command window will appear briefly as the batch file runs. It may happen so quickly that you won't even see the command window. It will create a log on your desktop called servicefix.txt. Copy and paste the contents of the servicefix.txt file in your next reply here.


* After running the batch file, run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [MSConfig] H:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - Startup: PowerReg Scheduler.exe

If you did not set this restriction to disable regedit, fix this O7 entry too:

O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://uproar.com/ap...pside_web18.cab


* Next is Hijack This, Hijack This and click on the Config button in the lower right corner. In the next window click on the Misc Tools button at the top. Now click on the Delete a file on reboot... button. Copy and paste this line in the "File name" box:

H:\WINDOWS\SYSTEM32\CSKNN.EXE

You will be asked if you want to restart. Click Yes.

After restarting, run Kaspersky online virus scan here.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log, the servicefix.txt file and the results from Kaspersky scan in your next reply.

Attached Files


  • 0

#6
imafool4u
Posted 17 December 2006 - 12:30 AM

imafool4u

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
servicefix successfully deleted that thinger, I'm just too lazy to open that one up once I'm done with this..

Logfile of HijackThis v1.99.1
Scan saved at 1:27:43 AM, on 12/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\DAEMON Tools\daemon.exe
H:\WINDOWS\Mixer.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
H:\Program Files\D-Link\AirPlus G\AirGCFG.exe
H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
H:\Program Files\CursorXP\CursorXP.exe
H:\Program Files\AIM\aim.exe
H:\Documents and Settings\Fool\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 194.199.90.1:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [DAEMON Tools] "H:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] H:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] H:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [CursorXP] H:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [AIM] H:\Program Files\AIM\aim.exe -cnetwait.odl
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - H:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - H:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "H:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll,wbsys.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - H:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - H:\WINDOWS\system32\UAService7.exe (file missing)
  • 0

#7
Flrman1
Posted 17 December 2006 - 02:22 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Please run the Kaspeskyy scan and post the results as requested:

.......run Kaspersky online virus scan here.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log, the servicefix.txt file and the results from Kaspersky scan in your next reply.


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP