Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack This Log [RESOLVED]


  • This topic is locked This topic is locked

#1
elliotc02

elliotc02

    Member

  • Member
  • PipPip
  • 34 posts
Hello, I'm having some trouble with opening programs. I also see that there is a program that opens and closes in Task Manager; sdktemp.exe and that is replaced quickly by wkssvc.exe. Help!




Logfile of HijackThis v1.99.1
Scan saved at 10:20:50 PM, on 5/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ElliotChi\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [CASpeed] "C:\Program Files\Cable e ADSL Speed\NtwCA.exe" /HIDE
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\Run: [GKN] C:\WINDOWS\GKN.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBC Self Support Tool\SmartBridge\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Update] ms.exe
O4 - HKLM\..\Run: [Norton Wizzard] nwiz.exe
O4 - HKLM\..\Run: [K5fwNbC] c:\windows\temp\K5fwNbC.exe
O4 - HKLM\..\Run: [2SL8R5N5FB6H8B] C:\WINDOWS\System32\UbgrXPno.exe
O4 - HKLM\..\Run: [TangoManager] C:\Program Files\Covad\Covad DSL\app\TangoManager.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows] system.exe
O4 - HKLM\..\Run: [s73f39R] cnbert2.exe
O4 - HKLM\..\Run: [Windows Task Managers 32 BIT] winload32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] ms.exe
O4 - HKLM\..\RunServices: [Norton Wizzard] nwiz.exe
O4 - HKLM\..\RunServices: [Windows] system.exe
O4 - HKLM\..\RunServices: [Windows Task Managers 32 BIT] winload32.exe
O4 - HKLM\..\RunOnce: [utkmf.exe] C:\WINDOWS\System32\utkmf.exe /k
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Tweak-XP] C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintit.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [stclient] C:\WINDOWS\System32\stclient.exe
O4 - HKCU\..\Run: [Win-Hand] C:\Program Files\Win-Hand\Win-HandAnySer.exe
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKCU\..\RunOnce: [RunPalmPIL] "C:\Program Files\palmOne\pil.exe"
O4 - HKCU\..\RunOnce: [utkmf.exe] C:\WINDOWS\System32\utkmf.exe /k
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://files.member....c/yinsthdlk.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\sdktemp.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

Edited by elliotc02, 31 May 2005 - 06:25 PM.

  • 0

Advertisements


#2
elliotc02

elliotc02

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Oh and btw...when my computer is sitting idle, the internet connection icon is showing that data is being received and transfered!

On top of that, aim.exe seems to be launching in task manager and then closing. It is occasionally replaced with the wkssvc.exe.

one final note, my firefox bookmarks seem to disappear occassionally when i launch my computer and then on a reset, the bookmarks will sometimes come back....so odd...

Thanks for any help you can offer!

Edited by elliotc02, 31 May 2005 - 04:32 AM.

  • 0

#3
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Welcome to Geeks to Go!

I'm not sure why it's showing Service Pack 1 for IE, but not XP...

Do this for me:
The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection.
Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log
  • 0

#4
elliotc02

elliotc02

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hello! I finished installing said program! Thanks again for your help!


Logfile of HijackThis v1.99.1
Scan saved at 11:00:22 AM, on 6/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wkssvc.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\ElliotChi\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [CASpeed] "C:\Program Files\Cable e ADSL Speed\NtwCA.exe" /HIDE
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\Run: [GKN] C:\WINDOWS\GKN.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBC Self Support Tool\SmartBridge\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Update] ms.exe
O4 - HKLM\..\Run: [Norton Wizzard] nwiz.exe
O4 - HKLM\..\Run: [K5fwNbC] c:\windows\temp\K5fwNbC.exe
O4 - HKLM\..\Run: [2SL8R5N5FB6H8B] C:\WINDOWS\System32\SehMe.exe
O4 - HKLM\..\Run: [TangoManager] C:\Program Files\Covad\Covad DSL\app\TangoManager.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows] system.exe
O4 - HKLM\..\Run: [s73f39R] cnbert2.exe
O4 - HKLM\..\Run: [Windows Task Managers 32 BIT] winload32.exe
O4 - HKLM\..\Run: [Lsass] c:\woekd.exe
O4 - HKLM\..\Run: [Windows Logon Manager] logon.exe
O4 - HKLM\..\Run: [h] c:\windows\temp\h.exe
O4 - HKLM\..\Run: [vfLlJ81T] c:\windows\system32\vfLlJ81T.exe
O4 - HKLM\..\Run: [bUIV.exe] c:\windows\system32\bUIV.exe
O4 - HKLM\..\RunServices: [Microsoft Update] ms.exe
O4 - HKLM\..\RunServices: [Norton Wizzard] nwiz.exe
O4 - HKLM\..\RunServices: [Windows] system.exe
O4 - HKLM\..\RunServices: [Windows Task Managers 32 BIT] winload32.exe
O4 - HKLM\..\RunServices: [Windows Logon Manager] logon.exe
O4 - HKLM\..\RunOnce: [utkmf.exe] C:\WINDOWS\System32\utkmf.exe /k
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Tweak-XP] C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintit.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [stclient] C:\WINDOWS\System32\stclient.exe
O4 - HKCU\..\Run: [Win-Hand] C:\Program Files\Win-Hand\Win-HandAnySer.exe
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKCU\..\RunOnce: [RunPalmPIL] "C:\Program Files\palmOne\pil.exe"
O4 - HKCU\..\RunOnce: [utkmf.exe] C:\WINDOWS\System32\utkmf.exe /k
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://files.member....c/yinsthdlk.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)
  • 0

#5
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You've got some serious issues going on, It'll take me a bit to get your fix done. Please try to stay off the Internet as much as possible. In the meantime, please do this for me:

*Open HijackThis.
*Click on "Open Misc Tools Section"
*Make sure that both boxes beside "Generate StartupList Log" are checked:

List all minor sections(Full)

and

List Empty Sections(Complete)

Click "Generate StartupList Log".
Click "Yes" at the prompt

It will produce a NotePad Page. I need you to copy the entire contents of that page and paste it here.
  • 0

#6
elliotc02

elliotc02

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Thank you so very much for your help banana! I can't tell you how much this means to me that you're willing to help! I'll be sure to make a contribution! Anyways, here you go:


StartupList report, 6/4/2005, 12:44:21 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\ElliotChi\Desktop\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\ElliotChi\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\ElliotChi\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

EPSON Stylus C82 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
CASpeed = "C:\Program Files\Cable e ADSL Speed\NtwCA.exe" /HIDE
DXDllRegExe = C:\WINDOWS\System32\dxdllreg.exe
GKN = C:\WINDOWS\GKN.exe
Motive SmartBridge = C:\PROGRA~1\SBC Self Support Tool\SmartBridge\MotiveSB.exe
Microsoft Update = ms.exe
Norton Wizzard = nwiz.exe
K5fwNbC = c:\windows\temp\K5fwNbC.exe
2SL8R5N5FB6H8B = C:\WINDOWS\System32\SehMe.exe
TangoManager = C:\Program Files\Covad\Covad DSL\app\TangoManager.exe
MP10_EnsureFileVer = C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0\bin\jusched.exe
ViewMgr = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Uninstall_WinTools = C:\WINDOWS\Temp\WTuninst.exe /remove
EPSON Stylus Photo R200 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Windows = system.exe
s73f39R = cnbert2.exe
Windows Task Managers 32 BIT = winload32.exe
Lsass = c:\woekd.exe
Windows Logon Manager = logon.exe
h = c:\windows\temp\h.exe
vfLlJ81T = c:\windows\system32\vfLlJ81T.exe
bUIV.exe = c:\windows\system32\bUIV.exe
Win32 NT Adv Services = taskmngr.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

utkmf.exe = C:\WINDOWS\System32\utkmf.exe /k
AAW = "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Microsoft Update = ms.exe
Norton Wizzard = nwiz.exe
Windows = system.exe
Windows Task Managers 32 BIT = winload32.exe
Windows Logon Manager = logon.exe
Win32 NT Adv Services = taskmngr.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Pop-Up-Blocker =
TransparentIcons =
BlockAds =
Tweak-XP = C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
WCPS = C:\WINDOWS\System32\wintit.exe
H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
stclient = C:\WINDOWS\System32\stclient.exe
Win-Hand = C:\Program Files\Win-Hand\Win-HandAnySer.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

BullguardoptIn = C:\WINDOWS\Temp\BullGuard\bulldownload.exe
MPlayer2_FixUp = C:\WINDOWS\inf\unregmp2.exe /Fixups
RunPalmPIL = "C:\Program Files\palmOne\pil.exe"
utkmf.exe = C:\WINDOWS\System32\utkmf.exe /k

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\SEP\sep.dll - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}
(no name) - C:\Program Files\eSyndicate\esyn.dll - {CC378B83-9577-44D0-B4F8-0DD965E176FC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]

[{00000075-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...i386/voxacm.CAB

[{00000161-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...386/msaudio.cab

[{1D0D9077-3798-49BB-9058-393499174D5D}]
CODEBASE = file://c:\counter.cab

[{30528230-99F7-4BB4-88D8-FA1D4F56A2AB}]
CODEBASE = http://files.member....c/yinsthdlk.cab

[{33363249-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...386/i263_32.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akama...meInstaller.exe

[Java Plug-in 1.5.0]
InProcServer32 = C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.4.2_03]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.5.0]
InProcServer32 = C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\System32\nwprovau.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Aureal Game Port Enumerator: System32\DRIVERS\admjoy.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
AOL Instant Messanger: "C:\WINDOWS\aim.exe" (autostart)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Cyclades-Z Port Driver: System32\DRIVERS\cyzport.sys (manual start)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Digi PortServer Driver: System32\DRIVERS\digirlpt.sys (manual start)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter: System32\DRIVERS\DUBE100.sys (manual start)
Eplpdx02: \??\C:\WINDOWS\System32\Drivers\EPLPDX02.SYS (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver: System32\DRIVERS\FA312nd5.sys (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
HCF_MSFT: System32\DRIVERS\HCF_MSFT.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
KeyTrap: \??\C:\Program Files\Win-Hand\KeyTrap.sys (manual start)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Logitech PS/2 Mouse Filter Driver: System32\DRIVERS\L8042Pr2.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logitech HID/USB Mouse Filter Driver: System32\DRIVERS\LHidFlt2.sys (manual start)
Logitech USB Receiver device driver: system32\drivers\LHidUsb.Sys (manual start)
Logitech Keyboard Class Filter Driver: System32\DRIVERS\LKbdFlt2.sys (manual start)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Logitech Mouse Class Filter Driver: System32\DRIVERS\LMouFlt2.sys (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
mf: System32\DRIVERS\mf.sys (manual start)
Workstation Service Library: "C:\WINDOWS\wkssvc.exe" (autostart)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (system)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
PalmUSBD: system32\drivers\PalmUSBD.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIDATA: \??\D:\PCIDATA.sys (manual start)
PCIIde: System32\DRIVERS\pciide.sys (system)
permmgr: \??\C:\WINDOWS\System32\drivers\permmgr.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
rdriv: \??\C:\WINDOWS\system32\rdriv.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %systemroot%\system32\svchost.exe -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
sdktemp: "C:\WINDOWS\sdktemp.exe" (disabled)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Serial Mouse Driver: System32\DRIVERS\sermouse.sys (manual start)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Sony USB Filter Driver (SONYPVU1): System32\DRIVERS\SONYPVU1.SYS (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{82240D55-DB2D-4E74-A429-55ACE6D01CCC} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Linksys EtherFast 10/100 Compact USB Network Adapter: System32\DRIVERS\USB100M.SYS (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
Windows CE USB Serial Host Driver: System32\DRIVERS\wceusbsh.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Aureal Vortex 8810 Audio Driver (WDM): system32\drivers\adm8810.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (manual start)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
ZESOFT: C:\WINDOWS\zeta.exe (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 33,365 bytes
Report generated in 0.370 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

#7
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
It is extremely important that you follow all directions exactly as specified.

I do not see an Anti-virus program on your system. It would be in your best interest to download a free anti-virus program such as AVG and run a FULL system scan before following the instructions below.

First, I need you to right click on the desktop and go to New > Folder - click on it and name it whatever you want. Locate HiJackThis.exe on the desktop right click on it and go to "cut", then go into the folder you just made and click "paste". This is to ensure backups are saved and accessible.

Next, we need to remove the pepper trojan. Download this file, run, and let terminate (it'll just blink briefly on your screen and won't appeared to have done much--this is normal):
http://www.geekstogo...=download&id=18

After that is done:

Set your system to SHOW HIDDEN FILES

Then using Windows Explorer, please locate this file:

C:\WINDOWS\system32\rdriv.sys

Right-click on it and go to "Rename". Rename it to rdriv.bak

Open Notepad, and copy everything inside the code box (Starting with REGEDIT4) below and paste it into a new notepad file. Go up to "File" > "Save As...". A box will open up. Change the "Save As Type" to "All Files". Save it as rdriv.reg on your Desktop. Make sure there is NO blank line above REGEDIT4

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iTunesMusic]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_ITUNESMUSIC]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_RDRIV]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=-

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareWks"=-

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=-

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters]
"AutoShareWks"=-

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters]
"AutoShareServer"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions]
"Installed Time"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions]
"Record"=-
Locate rdriv.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.

After the "merged successfully" prompt, please do the following:

* Download the Killbox by Option^Explicit.

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\Windows\System32\rdriv.bak
C:\Windows\ItunesMusic.exe
C:\WINDOWS\wkssvc.exe
C:\Program Files\SEP\sep.dll
C:\Program Files\eSyndicate\esyn.dll
C:\WINDOWS\GKN.exe
C:\Windows\System32\system.exe
C:\Windows\system.exe
C:\Windows\cnbert2.exe
C:\Windows\System32\cnbert2.exe
C:\Windows\System32\winload32.exe
c:\woekd.exe
c:\windows\temp\h.exe
c:\windows\system32\vfLlJ81T.exe
c:\windows\system32\bUIV.exe
C:\WINDOWS\System32\utkmf.exe
C:\WINDOWS\System32\wintit.exe
C:\WINDOWS\zeta.exe
c:\windows\temp\K5fwNbC.exe
C:\Windows\nwiz.exe
C:\WINDOWS\Temp\WTuninst.exe
C:\Windows\System32\ms.exe
C:\Windows\System32\logon.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, Run HijackThis. Place a check next to the following items and click FIX CHECKED:

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll

O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O4 - HKLM\..\Run: [GKN] C:\WINDOWS\GKN.exe
O4 - HKLM\..\Run: [Microsoft Update] ms.exe
O4 - HKLM\..\Run: [Norton Wizzard] nwiz.exe
O4 - HKLM\..\Run: [K5fwNbC] c:\windows\temp\K5fwNbC.exe
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [Windows] system.exe
O4 - HKLM\..\Run: [s73f39R] cnbert2.exe
O4 - HKLM\..\Run: [Windows Task Managers 32 BIT] winload32.exe
O4 - HKLM\..\Run: [Lsass] c:\woekd.exe
O4 - HKLM\..\Run: [Windows Logon Manager] logon.exe
O4 - HKLM\..\Run: [h] c:\windows\temp\h.exe
O4 - HKLM\..\Run: [vfLlJ81T] c:\windows\system32\vfLlJ81T.exe
O4 - HKLM\..\Run: [bUIV.exe] c:\windows\system32\bUIV.exe
O4 - HKLM\..\RunServices: [Microsoft Update] ms.exe
O4 - HKLM\..\RunServices: [Norton Wizzard] nwiz.exe
O4 - HKLM\..\RunServices: [Windows] system.exe
O4 - HKLM\..\RunServices: [Windows Task Managers 32 BIT] winload32.exe
O4 - HKLM\..\RunServices: [Windows Logon Manager] logon.exe
O4 - HKLM\..\RunOnce: [utkmf.exe] C:\WINDOWS\System32\utkmf.exe /k
O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintit.exe
O4 - HKCU\..\RunOnce: [utkmf.exe] C:\WINDOWS\System32\utkmf.exe /k

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)


Close HiJackThis.

Please go into C:\Windows\System32 and make sure rdriv.bak is GONE!

Download, install, and run CleanUp!

Download Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.

Once the updates are installed do the following:
  • Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run Ewido.
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot into normal mode.

Then, run this online virus scan:
ActiveScan

Save the results from ActiveScan.

I need you to post the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.

Edited by bananafanafo, 05 June 2005 - 02:35 AM.

  • 0

#8
elliotc02

elliotc02

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hey banana...sorry a problem came up when I was trying to finish your instructions...

When I was trying to locate:

C:\WINDOWS\system32\rdriv.sys

Right-click on it and go to "Rename". Rename it to rdriv.bak


I couldn't rename it...everytime I tried, it said that it was unable to rename it, because it was being used by another person or program...Any ideas on how to fix this?
  • 0

#9
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Here are the new instructions.

It is extremely important that you follow all directions exactly as specified.

Copy the below instructions (until you get to the purple text). Paste them into notepad and save it for use while in Safe Mode. This is important because it has to be done exactly in order for this to work

I need you to reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. use your up arrow key to highlight Safe Mode, then hit enter.

After getting into Safe Mode, Go to Start > Run type in:

cmd

Click OK.

A black window will open up.

Copy the below line, exactly, and paste it into the black window:

attrib -h -r -s C:\WINDOWS\system32\rdriv.sys

Hit Enter.

When it goes to the next line, copy the below line, exactly, and paste it into the black window:

del C:\WINDOWS\system32\rdriv.sys

Hit Enter.

Then type exit

[END OF INSTRUCTIONS TO COPY FOR SAFE MODE]

Reboot into normal mode.

Open Notepad, and copy everything inside the code box (Starting with REGEDIT4) below and paste it into a new notepad file. Go up to "File" > "Save As...". A box will open up. Change the "Save As Type" to "All Files". Save it as rdriv.reg on your Desktop. Make sure there is NO blank line above REGEDIT4

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iTunesMusic]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_ITUNESMUSIC]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_RDRIV]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=-

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareWks"=-

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=-

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters]
"AutoShareWks"=-

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters]
"AutoShareServer"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions]
"Installed Time"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions]
"Record"=-
Locate rdriv.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.

After the "merged successfully" prompt, please do the following:

* Download the Killbox by Option^Explicit.

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\Windows\System32\rdriv.bak
C:\Windows\ItunesMusic.exe
C:\WINDOWS\wkssvc.exe
C:\Program Files\SEP\sep.dll
C:\Program Files\eSyndicate\esyn.dll
C:\WINDOWS\GKN.exe
C:\Windows\System32\system.exe
C:\Windows\system.exe
C:\Windows\cnbert2.exe
C:\Windows\System32\cnbert2.exe
C:\Windows\System32\winload32.exe
c:\woekd.exe
c:\windows\temp\h.exe
c:\windows\system32\vfLlJ81T.exe
c:\windows\system32\bUIV.exe
C:\WINDOWS\System32\utkmf.exe
C:\WINDOWS\System32\wintit.exe
C:\WINDOWS\zeta.exe
c:\windows\temp\K5fwNbC.exe
C:\Windows\nwiz.exe
C:\WINDOWS\Temp\WTuninst.exe
C:\Windows\System32\ms.exe
C:\Windows\System32\logon.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, Run HijackThis. Place a check next to the following items and click FIX CHECKED:

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll

O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O4 - HKLM\..\Run: [GKN] C:\WINDOWS\GKN.exe
O4 - HKLM\..\Run: [Microsoft Update] ms.exe
O4 - HKLM\..\Run: [Norton Wizzard] nwiz.exe
O4 - HKLM\..\Run: [K5fwNbC] c:\windows\temp\K5fwNbC.exe
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [Windows] system.exe
O4 - HKLM\..\Run: [s73f39R] cnbert2.exe
O4 - HKLM\..\Run: [Windows Task Managers 32 BIT] winload32.exe
O4 - HKLM\..\Run: [Lsass] c:\woekd.exe
O4 - HKLM\..\Run: [Windows Logon Manager] logon.exe
O4 - HKLM\..\Run: [h] c:\windows\temp\h.exe
O4 - HKLM\..\Run: [vfLlJ81T] c:\windows\system32\vfLlJ81T.exe
O4 - HKLM\..\Run: [bUIV.exe] c:\windows\system32\bUIV.exe
O4 - HKLM\..\RunServices: [Microsoft Update] ms.exe
O4 - HKLM\..\RunServices: [Norton Wizzard] nwiz.exe
O4 - HKLM\..\RunServices: [Windows] system.exe
O4 - HKLM\..\RunServices: [Windows Task Managers 32 BIT] winload32.exe
O4 - HKLM\..\RunServices: [Windows Logon Manager] logon.exe
O4 - HKLM\..\RunOnce: [utkmf.exe] C:\WINDOWS\System32\utkmf.exe /k
O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintit.exe
O4 - HKCU\..\RunOnce: [utkmf.exe] C:\WINDOWS\System32\utkmf.exe /k

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)


Close HiJackThis.

Please go into C:\Windows\System32 and make sure rdriv.bak is GONE!

Download, install, and run CleanUp!

Download Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.

Once the updates are installed do the following:
  • Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run Ewido.
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot into normal mode.

Then, run this online virus scan:
ActiveScan

Save the results from ActiveScan.

I need you to post the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.
  • 0

#10
elliotc02

elliotc02

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Thanks again banana! There is still a problem where a application error happens when my computer is working. It seems to happen randomly. The file is lsass.exe and I click OK to terminate it and then I have 60 seconds and my computer restarts....Anyways, here's the ewido report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:47:43 AM, 6/7/2005
+ Report-Checksum: 416E1BA8

+ Date of database: 6/7/2005
+ Version of scan engine: v3.0

+ Duration: 455 min
+ Scanned Files: 71377
+ Speed: 2.61 Files/Second
+ Infected files: 59
+ Removed files: 59
+ Files put in quarantine: 59
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\Program Files\Lycos\IEagent\CSIE.DLL -> Spyware.ClearSearch.d -> Cleaned with backup
C:\sp2.exe/re11.REG -> Trojan.LowZones.a -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069391.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069392.exe -> Spyware.WinFetcher.b -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069400.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069406.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069430.exe -> TrojanDownloader.WinShow.g -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069431.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069432.exe -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069433.exe -> Trojan.Agent.az -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069434.exe -> Trojan.Agent.az -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069435.exe -> TrojanDropper.Small.ff -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069436.exe -> TrojanDownloader.Vb.Cw -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069437.exe -> Backdoor.Agobot.lq -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069438.exe -> Trojan.VB.z -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069439.exe -> TrojanDownloader.Agent.am -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069447.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069456.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069462.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069474.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP300\A0069476.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069485.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069486.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069488.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069489.dll -> Trojan.Septic.a -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069490.dll -> Spyware.Esyndic.a -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069491.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069492.exe -> Backdoor.Rbot -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069493.exe -> TrojanProxy.Agent.fb -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069494.exe -> Spyware.WinFetcher.b -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069501.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069506.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069525.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069535.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069536.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069541.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\system.exe -> Spyware.WinFetcher.b -> Cleaned with backup
C:\thin-85-1-x-x.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\aim.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\WINDOWS\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\WINDOWS\dumpreg.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\WINDOWS\system32\33r.dll -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\system32\atiupdate5.exe -> Spyware.Adtomi.e -> Cleaned with backup
C:\WINDOWS\system32\BO2802040113.dll -> Spyware.VirtualBouncer.d -> Cleaned with backup
C:\WINDOWS\system32\btest4.scr -> TrojanDownloader.NSIS.gen -> Cleaned with backup
C:\WINDOWS\system32\chktrust.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\WINDOWS\system32\cmciew.exe -> Trojan.AproposAd -> Cleaned with backup
C:\WINDOWS\system32\eraseme_07554.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\WINDOWS\system32\eraseme_24503.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\WINDOWS\system32\eraseme_35881.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\WINDOWS\system32\mirindaspe.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\system32\olxjri.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\WINDOWS\system32\rdriv.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\WINDOWS\system32\taskmngr.exe -> Backdoor.Rbot -> Cleaned with backup
C:\WINDOWS\system32\update.exe -> Spyware.WinFetcher.b -> Cleaned with backup
C:\WINDOWS\tct101.dll -> TrojanDownloader.Dyfuca.eg -> Cleaned with backup
C:\WINDOWS\Temp\~168099.tmp -> Spyware.Wintol.p -> Cleaned with backup
C:\WINDOWS\wkssvc.exe -> Backdoor.SdBot.xd -> Cleaned with backup


::Report End


Here's the Activescan report:



Incident Status Location

Adware:Adware/Ucmore No disinfected C:\WINDOWS\ucmoreiex.exe
Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\System32\cd_clint.dll
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/MemoryWatcher No disinfected C:\Program Files\MemoryWatcher
Adware:Adware/SAHAgent No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\Program Files\cxtpls
Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Dpi
Adware:Adware/SideSearch No disinfected C:\Program Files\Lycos
Adware:Adware/IEDriver No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\polall1r.inf
Spyware:Spyware/Overpro No disinfected Windows Registry
Adware:Adware/TopSearch No disinfected C:\Program Files\kazaa\topsearch.dll
Adware:Adware/TopConvert No disinfected Windows Registry
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\System32\kyf.dat
Virus:Trj/Downloader.AEE Disinfected Operating system
Adware:Adware/ESyndicate No disinfected C:\Program Files\eSyndicate
Virus:Trj/Downloader.AEE Disinfected C:\Documents and Settings\ElliotChi\Desktop\HiJack\backups\backup-20050606-212939-342.inf
Virus:Trj/Multidropper.QW Disinfected C:\iMeshInst.exe
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/MemoryWatcher No disinfected C:\MemoryWatcher_b.exe
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\remove_tools.html
Adware:Adware/TopSearch No disinfected C:\Program Files\Kazaa\TopSearch.dll
Possible Virus. No disinfected C:\WINDOWS\Downloaded Installations\{DA98601A-1186-4927-9E9A-5DF44E194479}\Data.Cab[F2251_Stealth.exe]
Adware:Adware/Adtomi No disinfected C:\WINDOWS\hz3c4i.sys
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\biH.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\polall1r.inf
Possible Virus. No disinfected C:\WINDOWS\system32\bH.dll
Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\system32\cd_clint.dll
Adware:Adware/Adtomi No disinfected C:\WINDOWS\system32\hz3c4i.sys
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\kyf.dat
Virus:W32/Gaobot.HFV.worm Disinfected C:\WINDOWS\system32\TFTP708
Adware:Adware/Envolo No disinfected C:\WINDOWS\Temp\AutoUpdate0\setup.inf
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\__delete_on_reboot__~168099.tmp
Adware:Adware/Ucmore No disinfected C:\WINDOWS\ucmoreiex.exe
Virus:W32/Sdbot.DPP.worm Disinfected C:\WINDOWS\wkssvc.exe


And here's the new hijack this report...thanks again!

Logfile of HijackThis v1.99.1
Scan saved at 12:03:22 PM, on 6/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\wkssvc.exe
C:\Documents and Settings\ElliotChi\Desktop\HiJack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [CASpeed] "C:\Program Files\Cable e ADSL Speed\NtwCA.exe" /HIDE
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBC Self Support Tool\SmartBridge\MotiveSB.exe
O4 - HKLM\..\Run: [TangoManager] C:\Program Files\Covad\Covad DSL\app\TangoManager.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Tweak-XP] C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [stclient] C:\WINDOWS\System32\stclient.exe
O4 - HKCU\..\Run: [Win-Hand] C:\Program Files\Win-Hand\Win-HandAnySer.exe
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKCU\..\RunOnce: [RunPalmPIL] "C:\Program Files\palmOne\pil.exe"
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://files.member....c/yinsthdlk.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

Advertisements


#11
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please follow instructions exactly. Something in my previous instructions was not followed exactly. You system is nasty so you have to be careful to follow all instructions as specified.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\ucmoreiex.exe
C:\WINDOWS\System32\cd_clint.dll
C:\WINDOWS\inf\polall1r.inf
C:\WINDOWS\System32\kyf.dat
C:\keys.ini
C:\MemoryWatcher_b.exe
C:\Program Files\Common Files\remove_tools.html
C:\WINDOWS\hz3c4i.sys
C:\WINDOWS\inf\biH.inf
C:\WINDOWS\inf\polall1r.inf
C:\WINDOWS\system32\bH.dll
C:\WINDOWS\system32\cd_clint.dll
C:\WINDOWS\system32\hz3c4i.sys
C:\WINDOWS\system32\kyf.dat
C:\WINDOWS\system32\TFTP708
C:\WINDOWS\Temp\AutoUpdate0\setup.inf
C:\WINDOWS\Temp\__delete_on_reboot__~168099.tmp
C:\WINDOWS\ucmoreiex.exe
C:\WINDOWS\wkssvc.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, please delete the following folders:

C:\Program Files\MemoryWatcher
C:\Program Files\cxtpls
C:\Program Files\Common Files\Dpi
C:\Program Files\Lycos
C:\Program Files\eSyndicate

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:

Workstation Service Library

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):

Microsoft Locator Service

Click ok.

It should pull up information about the service, when it asks if you want to reboot now click YES.

Post a new HiJackThis log.
  • 0

#12
elliotc02

elliotc02

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Here you go banana:

Logfile of HijackThis v1.99.1
Scan saved at 12:37:09 PM, on 6/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\ElliotChi\Desktop\HiJack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [CASpeed] "C:\Program Files\Cable e ADSL Speed\NtwCA.exe" /HIDE
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBC Self Support Tool\SmartBridge\MotiveSB.exe
O4 - HKLM\..\Run: [TangoManager] C:\Program Files\Covad\Covad DSL\app\TangoManager.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Windows Server] winserv.exe
O4 - HKLM\..\RunServices: [Windows Server] winserv.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Tweak-XP] C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [stclient] C:\WINDOWS\System32\stclient.exe
O4 - HKCU\..\Run: [Win-Hand] C:\Program Files\Win-Hand\Win-HandAnySer.exe
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKCU\..\RunOnce: [RunPalmPIL] "C:\Program Files\palmOne\pil.exe"
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://files.member....c/yinsthdlk.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thanks again!
  • 0

#13
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Do you know what these programs are:

C:\WINDOWS\System32\stclient.exe
C:\Program Files\Win-Hand\Win-HandAnySer.exe

Edited by bananafanafo, 07 June 2005 - 02:11 PM.

  • 0

#14
elliotc02

elliotc02

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
I know that WinHand is a Palm program that i used to use...i don't need it anymore though...I don't know what stclient.exe is

Edited by elliotc02, 07 June 2005 - 02:19 PM.

  • 0

#15
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Using Windows Explorer, please locate this file:

C:\WINDOWS\System32\stclient.exe

Right-click on it and go to propeties. Does it have a "version" tab, if so please tell me what it says. If not, right-click on it and go to "Send to > Compressed (zipped) Folder". After it's been zipped, please delete stclient.exe (but leave the zipped file for now)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP