ALL DONE.
I used trendmicro scan and it said "congratulations" we did not find any infections.
CW shredder*(see bottom of page) and clean up did their jobs.
SpSeHjfix said
(6/6/05 14:26:49) SPSeHjFix started v1.1.2
(6/6/05 14:26:49) OS: WinXP Service Pack 2 (5.1.2600)
(6/6/05 14:26:49) Language: english
(6/6/05 14:26:49) Win-Path: E:\WINDOWS
(6/6/05 14:26:49) System-Path: E:\WINDOWS\system32
(6/6/05 14:26:49) Temp-Path: E:\DOCUME~1\Dennis\LOCALS~1\Temp\
(6/6/05 14:26:59) Disinfection started
(6/6/05 14:26:59) Bad-Dll(IEP): (not found)
(6/6/05 14:26:59) Bad-Dll(IEP) in BHO: (not found)
(6/6/05 14:26:59) UBF: 4 - UBB: 0 - UBR: 10
(6/6/05 14:26:59) UBF: 4 - UBB: 0 - UBR: 10
(6/6/05 14:26:59) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, CustomizeSearch:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(6/6/05 14:26:59) Stealth-String not found
(6/6/05 14:26:59) Not infected->END
i have attached the results from about blaster which came back negative but did not close down explorer as described and dd not request a second run. hopefully you will be familiar with the screenshots.
hjt
Logfile of HijackThis v1.99.1
Scan saved at 15:05:28, on 06/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\SnoopFreeUI.exe
E:\Program Files\Microsoft AntiSpyware\gcasServ.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
E:\WINDOWS\system32\VTTimer.exe
E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
E:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\WINDOWS\System32\SnoopFreeSvc.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Microsoft Office\Office\OSA.EXE
E:\Program Files\12Ghosts\12wash.exe
E:\Program Files\ntl\broadband medic\bin\mpbtn.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Documents and Settings\Dennis\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hwww.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrinTray] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] E:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] E:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: 12Ghosts Wash.lnk = E:\Program Files\12Ghosts\12wash.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: broadband medic.lnk = E:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: Microsoft Find Fast.lnk = E:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = E:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.r...ip/RdxIE601.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - E:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
*CW SHREDDER scan (not sur if this is relevent)
**** Run Keys ****
RUN: [SnoopFreeUI] SnoopFreeUI.exe
RUN: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
RUN: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
RUN: [PrinTray] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
RUN: [VTTimer] VTTimer.exe
RUN: [Lexmark X83 Button Monitor] E:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
RUN: [Lexmark X83 Button Manager] E:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
RUN: [NeroCheck] E:\WINDOWS\system32\\NeroCheck.exe
RUN: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
RUN: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
RUN: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
**** Browser Helper Objects ****
**** IE Toolbars ****
**** IE Extensions ****
IEExt: [Spyware Doctor]
IEExt: [Messenger] E:\Program Files\Messenger\msmsgs.exe
**** Hosts File Entries ****
HOSTS: 127.0.0.1 localhost
HOSTS: 127.0.0.1 localhost
**** IE Settings ****
Default Page:
http://www.msn.com Default Search:
http://home.microsof...arch/search.asp Local Page: E:\WINDOWS\System32\blank.htm
Search Page: www.google.com
**** IE Context Menu (Right click) ****
**** Layered Service Providers ****
LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{14927DC3-42B0-4C78-806A-01DDF0DBA513}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{14927DC3-42B0-4C78-806A-01DDF0DBA513}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7A8DA847-4904-41D9-8A02-E2C48DA16751}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7A8DA847-4904-41D9-8A02-E2C48DA16751}] DATAGRAM 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{408DA57B-F89A-4CA7-B8F9-9A83094C82BB}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{408DA57B-F89A-4CA7-B8F9-9A83094C82BB}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5CE0809E-DCDD-426B-B924-0E7851AD7EB4}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5CE0809E-DCDD-426B-B924-0E7851AD7EB4}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5D8F3069-DD7A-4118-8063-15C057D08CD8}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5D8F3069-DD7A-4118-8063-15C057D08CD8}] DATAGRAM 2
**** Blocked Control Panel Items ****
BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No
**** Downloaded Program Files ****
Microsoft XML Parser for Java [file://E:\WINDOWS\Java\classes\xmldso.cab]
{56336BCB-3D8A-11D6-A00B-0050DA18DE71} [
http://software-dl.r...p/RdxIE601.cab] E:\WINDOWS\Downloaded Program Files\RdxIE.dll
{74D05D43-3236-11D4-BDCD-00C04F9A3B61} [
http://a840.g.akamai...ll/xscan53.cab] E:\WINDOWS\system32\mfc42.dll E:\WINDOWS\loadhttp.dll E:\WINDOWS\aucfg.ini E:\WINDOWS\tmupdate.ini E:\WINDOWS\runtsckl.exe E:\WINDOWS\patchw32.dll E:\WINDOWS\Downloaded Program Files\xscan53.ocx
{D27CDB6E-AE6D-11CF-96B8-444553540000} [
http://download.macr...sh/swflash.cab] **** Windows Services ****
[Alerter] %SystemRoot%\System32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[aswUpdSv] "E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[avast! Antivirus] "E:\Program Files\Alwil Software\Avast4\ashServ.exe"
[avast! Mail Scanner] "E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
[avast! Web Scanner] "E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
[Avg7Alrt] E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
[Avg7UpdSvc] E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
[BITS] %SystemRoot%\System32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\System32\svchost.exe -k netsvcs
[cisvc] E:\WINDOWS\System32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] E:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[DcomLaunch] %SystemRoot%\system32\svchost -k DcomLaunch
[Dhcp] %SystemRoot%\System32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\System32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] E:\WINDOWS\System32\svchost.exe -k netsvcs
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[HTTPFilter] %SystemRoot%\System32\svchost.exe -k HTTPFilter
[ImapiService] E:\WINDOWS\System32\imapi.exe
[lanmanserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\System32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\System32\svchost.exe -k LocalService
[Messenger] %SystemRoot%\System32\svchost.exe -k netsvcs
[mnmsrvc] E:\WINDOWS\System32\mnmsrvc.exe
[MSDTC] E:\WINDOWS\System32\msdtc.exe
[MSIServer] E:\WINDOWS\system32\msiexec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\System32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RDSessMgr] E:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[SnoopFreeSvc] System32\SnoopFreeSvc.exe
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\System32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\System32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\System32\svchost.exe -k imgsvc
[SwPrv] E:\WINDOWS\System32\dllhost.exe /Processid:{FE74C2C3-040C-45EA-B52D-049392F86021}
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost -k DComLaunch
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[upnphost] %SystemRoot%\System32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[vsmon] E:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[WebClient] %SystemRoot%\System32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] E:\WINDOWS\System32\wbem\wmiapsrv.exe
[wscsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
[xmlprov] %SystemRoot%\System32\svchost.exe -k netsvcs
**** Custom IE Search Items ****
SEARCH: [SearchAssistant] hwww.google.com
SEARCH: [CustomizeSearch]
http://ie.search.msn...st/srchcust.htm **** Complete IE Options ****
IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] no
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] E:\WINDOWS\System32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] www.google.com
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Check_Associations] yes
IEOPT: [Use FormSuggest] no
IEOPT: [FullScreen] no
IEOPT: [NotifyDownloadComplete] yes
IEOPT: [AddToFavoritesExpanded]
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Error Dlg Details Pane Open] no
IEOPT: [Expand Alt Text] no
IEOPT: [Move System Caret] no
IEOPT: [NscSingleExpand]
IEOPT: [NoWebJITSetup]
IEOPT: [Page_Transitions]
IEOPT: [FavIntelliMenus] no
IEOPT: [UseThemes]
IEOPT: [Force Offscreen Composition]
IEOPT: [AllowWindowReuse]
IEOPT: [Friendly http errors] yes
IEOPT: [ShowGoButton] yes
IEOPT: [SmoothScroll]
IEOPT: [Enable AutoImageResize] yes
IEOPT: [Enable_MyPics_Hoverbar] yes
IEOPT: [Play_Animations] yes
IEOPT: [Play_Background_Sounds] yes
IEOPT: [Display Inline Videos] yes
IEOPT: [Show image placeholders]
IEOPT: [Print_Background] no
IEOPT: [FormSuggest PW Ask] no
IEOPT: [Use Search Asst] no
IEOPT: [HistoryViewType]
IEOPT: [Toolbars_Placement]
IEOPT: [HistoryTopNSitesView]
IEOPT: [DisableScriptDebuggerIE] yes
IEOPT: [Search Page] www.google.com
IEOPT: [Window_Placement] ,
IEOPT: [Default_Page_URL]
http://www.msn.com IEOPT: [Default_Search_URL]
http://home.microsof...arch/search.asp IEOPT: [Search Page]
http://www.microsoft.com/ IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] E:\WINDOWS\System32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] www.google.com
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: []
IEOPT: [Use Custom Search URL]
thanks again for your help, i hope i have included everything you need!