Logfile of HijackThis v1.99.1
Scan saved at 1:27:09 AM, on 4/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Stardock\SDMCP.exe
D:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
D:\WINDOWS\Explorer.exe
D:\Program Files\Logitech\iTouch\iTouch.exe
D:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
D:\PROGRA~1\mcafee.com\agent\mcagent.exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
D:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ImageIt\ItRun.EXE
C:\program files\powerstrip\pstrip.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\MemTurbo\MemTurbo.exe
d:\progra~1\mcafee.com\vso\mcvsftsn.exe
D:\WINDOWS\system32\crypserv.exe
d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\HPZipm12.exe
d:\PROGRA~1\mcafee.com\vso\mcshield.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Winamp\winamp.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Gene\Desktop\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\Nail.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [VSOCheckTask] "d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinIt] C:\Program Files\ImageIt\ItRun.EXE
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MemTurbo.lnk = D:\Program Files\MemTurbo\MemTurbo.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104456538919
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6592C2E3-E961-4E67-926C-B8EA3BC376CD}: NameServer = 199.224.64.20 199.224.86.15
O20 - Winlogon Notify: MCPClient - D:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: WB - D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Crypkey License - Kenonic Controls Ltd. - D:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - D:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - d:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - D:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
FINDIT:
Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 04/29/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
»»»»» lagitamate file's can/will show in this section.
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»» Checking Windir\svcproc.exe and nail.exe.
Nail.exe
»»»»» Checking for System32\DrPMon.dll.
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
Volume in drive D is Raptor 74
Volume Serial Number is 9096-AB5F
Directory of D:\WINDOWS\SYSTEM32
03/27/2005 02:27 PM <DIR> cache32_rtneg
04/28/2005 08:07 PM <DIR> cache32_rtneg3
0 File(s) 0 bytes
2 Dir(s) 45,012,717,568 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive D is Raptor 74
Volume Serial Number is 9096-AB5F
Directory of D:\WINDOWS\system32
04/28/2005 11:14 PM 3,262 creditcard32123123123asdsa.ico
04/28/2005 08:07 PM 3,262 creditcard32123123123asdsa1.ico
03/26/2005 03:22 PM 3,262 eye41.ico
04/28/2005 08:07 PM 4,286 greenmovie2313asaadsasfad.ico
04/28/2005 11:14 PM 4,286 greenmovie2313asaadsasfad112341231adsfa.ico
03/27/2005 02:27 PM 3,262 kas pink1233aadsfa1.ico
04/28/2005 11:14 PM 3,262 kill popups.ico
04/28/2005 11:14 PM 3,262 kill spyware1.ico
03/26/2005 03:22 PM 4,286 moviescirc2.ico
03/26/2005 03:22 PM 4,286 mp3 players4salea.ico
04/28/2005 11:14 PM 4,286 mp3red51aads.ico
04/28/2005 08:07 PM 4,286 mp3red51aads1.ico
10/17/2002 11:39 AM 4,286 NDCR_OFF.ico
10/17/2002 11:39 AM 4,286 NDCR_ON.ico
04/28/2005 11:14 PM 3,262 vh e233.ico
04/28/2005 08:07 PM 3,262 vh e2331.ico
03/24/2005 06:58 PM 19,942 virus hunter yeah1.ico
17 File(s) 80,326 bytes
0 Dir(s) 45,012,717,568 bytes free
»»»»»»»»»»»»»»»»»»»»»»»».
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\Software\aurora
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\Software\_rtneg3
im not sure exactly what all this means so
if you could please reply do so.
Edited by gene311, 28 April 2005 - 11:33 PM.