Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help me?

Started by Pianoman16 , Jul 12 2005 04:07 PM

  • Please log in to reply

#1
Pianoman16
Posted 12 July 2005 - 04:07 PM

Pianoman16

    Member

  • Member
  • PipPipPip
  • 183 posts
:tazz: I dont know if anything that could be done to make my pc work better or not. Can you just look at my hijack this log and tell me if there is anything I can do to make it better.

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nathaniel\My Documents\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 111111111111 222222222222
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - Global Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O12 - Plugin for .pdf: c:\program files\adobe\acrobat 7.0\reader\browser\nppdf32.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113790688109
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Thank you in advance! ;)
  • 0

Advertisements

#2
Wizard
Posted 13 July 2005 - 08:18 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi Pianoman16 and Welcome to GeekstoGo!

I need to see a Copy of you Hosts File and a HijackThis log from Normal Mode please!

Open HijackThis-> Click Config-> Click Misc Tools-> Click Open Hosts File Manager-> Click Open in Notepad->

Copy&Paste the entire Contents of that Notepad Page to your Next Post!


Post back with a HijackThis log from Normal Mode and the Hosts File log!
  • 0

#3
Pianoman16
Posted 13 July 2005 - 11:46 AM

Pianoman16

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 183 posts
:tazz: All that came up when I did what you said was...

111111111111 222222222222

I did what you said, but I dont think thats what you want!
  • 0

#4
Wizard
Posted 13 July 2005 - 12:07 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,Thats what I needed to know!

Download the Hoster from here:
http://www.funkytoad...load/hoster.zip
Press "Restore Original Hosts" and press "OK"!!
Exit Program!


Right-Click Here and Click "Save As" to download DelDomains.inf to your desktop.

Right Click DelDomains.inf on your desktop and select "Install"

It will perform a silent process>Give it a minute to run!


You really should get some Antivirus Software and a Firewall Installed as soon as possible!

Here is a list of free ones for each!

Free Antivirus Software

AVG
http://www.grisoft.c...ng/us/tpl/tpl01

Antivir
http://www.free-av.com/

avast! 4 Home Edition
http://www.avast.com...ast_4_home.html

BitDefender Free Edition v7
http://www.bitdefend...cts.php?p_id=24

a-squared Free
http://www.emsisoft..../software/free/


Free Firewalls

Sygate Personal Firewall:
http://smb.sygate.co...pf_standard.htm

ZoneAlarm
http://www.zonelabs....reeDownload.jsp


Here is a great link explaining about Firewall Usage!
http://www.bleepingc...alls-tut60.html


Once all is done,Scan the PC with the New Antivirus and let me know if it finds anything!


Post back with a fresh HijackThis log once completed!
  • 0

#5
Pianoman16
Posted 13 July 2005 - 02:27 PM

Pianoman16

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 183 posts
I have the AVG virus scan already and I have the windows firewall, I cant have another firewall because it slows down my computer to much.

The virus scan found nothing, and the new hijackthis log is....

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nathaniel\My Documents\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O12 - Plugin for .pdf: c:\program files\adobe\acrobat 7.0\reader\browser\nppdf32.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113790688109
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Gear Security Service (GEARSecurity) - Unknown owner - C:\WINDOWS\system32\gearsec.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

Thank you for all the help thus far.
  • 0

#6
Wizard
Posted 13 July 2005 - 02:37 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Do you notice any difference at all in the PC?
  • 0

#7
Pianoman16
Posted 13 July 2005 - 04:36 PM

Pianoman16

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 183 posts
Umm..... not really. Sad to say.

What was it suppose to do? ;) :tazz:
  • 0

#8
Wizard
Posted 13 July 2005 - 04:44 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Well lets look deeper!

Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode

Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

Once the Scan is Complete-> Click "Copy to Clipboard" and Copy&Paste those Results into the next reply!
  • 0

#9
Pianoman16
Posted 13 July 2005 - 05:43 PM

Pianoman16

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 183 posts
Here you go.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! C:\WINDOWS\tsc.exe
PECompact2 C:\WINDOWS\VPTNFILE.689
qoologic C:\WINDOWS\VPTNFILE.689
SAHAgent C:\WINDOWS\VPTNFILE.689
UPX! C:\WINDOWS\vsapi32.dll
aspack C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 C:\WINDOWS\system32\dfrg.msc
PEC2 C:\WINDOWS\system32\DivX.dll
PECompact2 C:\WINDOWS\system32\DivX.dll
PECompact2 C:\WINDOWS\system32\MRT.exe
aspack C:\WINDOWS\system32\MRT.exe
aspack C:\WINDOWS\system32\ntdll.dll
Umonitor C:\WINDOWS\system32\rasdlg.dll

Checking %System%\Drivers folder and sub-folders...
UPX! C:\WINDOWS\system32\drivers\avg7core.sys
FSG! C:\WINDOWS\system32\drivers\avg7core.sys
aspack C:\WINDOWS\system32\drivers\avg7core.sys
PTech C:\WINDOWS\system32\drivers\mtlstrm.sys

Checking the Windows folder for system and hidden files within the last 60 days...
7/6/2005 C:\WINDOWS\a3kebook.ini
7/6/2005 C:\WINDOWS\akebook.ini
7/8/2005 C:\WINDOWS\QTFont.qfn
6/6/2005 C:\WINDOWS\Downloaded Program Files\Doremi.ttf
6/22/2005 C:\WINDOWS\FONTS\desktop.ini
6/26/2005 C:\WINDOWS\INF\oem11.inf
7/12/2005 C:\WINDOWS\SYSTEM32\AuxDrv32b_g.oxc
5/15/2005 C:\WINDOWS\SYSTEM32\cmd.com
5/15/2005 C:\WINDOWS\SYSTEM32\netstat.com
5/15/2005 C:\WINDOWS\SYSTEM32\ping.com
5/15/2005 C:\WINDOWS\SYSTEM32\regedit.com
5/15/2005 C:\WINDOWS\SYSTEM32\taskkill.com
5/15/2005 C:\WINDOWS\SYSTEM32\tasklist.com
5/15/2005 C:\WINDOWS\SYSTEM32\tracert.com
7/13/2005 C:\WINDOWS\SYSTEM32\config\default.LOG
7/13/2005 C:\WINDOWS\SYSTEM32\config\SAM.LOG
7/13/2005 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
7/13/2005 C:\WINDOWS\SYSTEM32\config\software.LOG
7/13/2005 C:\WINDOWS\SYSTEM32\config\system.LOG
7/12/2005 C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.dat.LOG
7/12/2005 C:\WINDOWS\SYSTEM32\GroupPolicy\Adm\admfiles.ini
7/13/2005 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

*\shellex\ContextMenuHandlers
*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin =
*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
=

SOFTWARE\Classes\Folder\shellex\ColumnHandlers
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LTMSG LTMSG.exe 7
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit userinit.exe
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.

Again thank you for all your help!
  • 0

#10
Wizard
Posted 13 July 2005 - 07:23 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Well,I will have to thank Old Timer in the Morning,beings he is the one that built that Scanner!

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Program Files\MsConfigs\MsConfigs.exe
C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\VPTNFILE.689
C:\WINDOWS\Downloaded Program Files\Doremi.ttf


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.


If for Some reason the Paste to ClipBoard function does not work!

Paste each into Killbox

Click "Yes" to Confirm

Click "NO" to Reboot

Once at the last file

Click "Yes" to Confirm

Click "Yes" to Reboot

Restart and see if things dont work out a bit better!

Post back and let me know!

Edited by Cretemonster, 13 July 2005 - 07:31 PM.

  • 0

Advertisements

#11
Pianoman16
Posted 13 July 2005 - 07:49 PM

Pianoman16

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 183 posts
I did it and everything went fine, but I still dont notice any diffrence. Is it possible that there is just no helping my computer and that this is the best it gets? :tazz:
  • 0

#12
Wizard
Posted 13 July 2005 - 08:01 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK...Lets disable System Restore and Clean up all the leftovers!
http://service1.syma...src=sec_doc_nam


Download and Run these 2

CCleaner:
http://www.filehippo...d_ccleaner.html
This is to help keep those Temporary Files Cleaned Up!

CleanUp! 4.0:
http://downloads.ste...p/CleanUp40.exe


Defragment the Hard Drive

Click Start-> All Programs-> Accessories-> System Tools-> Disk Defragment!


Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Kaspersky

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates


Post back with a fresh HijackThis log and the report from Kaspersky!
  • 0

#13
Pianoman16
Posted 14 July 2005 - 04:28 PM

Pianoman16

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 183 posts
I loved the Cleanup prgram, it got rid almost 900 MB!

The Kaspersky logs were as followed.

Critical Areas scan....

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Thursday, July 14, 2005 14:52:52
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/07/2005
Kaspersky Anti-Virus database records: 138348
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\NATHAN~1\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 15195
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 1294 sec

Infected Object Name - Virus Name
C:\WINDOWS\Downloaded Installations\{448A5AAF-26A0-4574-B76E-6C4166145AB1}\Recruit.msi/Data1.cab/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.14
C:\WINDOWS\Downloaded Installations\{448A5AAF-26A0-4574-B76E-6C4166145AB1}\Recruit.msi/Data1.cab Infected: not-a-virus:Client-IRC.Win32.mIRC.14
C:\WINDOWS\Downloaded Installations\{448A5AAF-26A0-4574-B76E-6C4166145AB1}\Recruit.msi Infected: not-a-virus:Client-IRC.Win32.mIRC.14

Scan process completed.

My Computer scan...

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Thursday, July 14, 2005 18:20:47
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/07/2005
Kaspersky Anti-Virus database records: 138348
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 86127
Number of viruses found: 22
Number of infected objects: 83
Number of suspicious objects: 2
Duration of the scan process: 6096 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip/install.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\Default User\My Documents\Nathaniel\Anonymous\snowfall\pumpkin_hss2.exe/WISE0014.BIN Infected: not-a-virus:AdWare.EZula.a
C:\Documents and Settings\Default User\My Documents\Nathaniel\Anonymous\snowfall\pumpkin_hss2.exe/WISE0015.BIN/data0002 Infected: not-a-virus:AdWare.Sidesearch.d
C:\Documents and Settings\Default User\My Documents\Nathaniel\Anonymous\snowfall\pumpkin_hss2.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Sidesearch.d
C:\Documents and Settings\Default User\My Documents\Nathaniel\Anonymous\snowfall\pumpkin_hss2.exe/WISE0016.BIN Infected: not-a-virus:AdWare.IGetNet
C:\Documents and Settings\Default User\My Documents\Nathaniel\Anonymous\snowfall\pumpkin_hss2.exe Infected: not-a-virus:AdWare.IGetNet
C:\Documents and Settings\Nathaniel\My Documents\Games\Sierra\Half-Life\hltv.exe Infected: not-a-virus:Server-Proxy.Win32.Hltv
C:\Documents and Settings\Nathaniel\My Documents\Games\Sierra\HL\Half-Life 2\hl1110_full_update.exe/WISE0025.BIN Infected: not-a-virus:Server-Proxy.Win32.Hltv
C:\Documents and Settings\Nathaniel\My Documents\Games\Sierra\HL\Half-Life 2\hl1110_full_update.exe Infected: not-a-virus:Server-Proxy.Win32.Hltv
C:\Documents and Settings\Nathaniel\My Documents\Games\Sierra\HL\hl1110_full_update.exe/WISE0025.BIN Infected: not-a-virus:Server-Proxy.Win32.Hltv
C:\Documents and Settings\Nathaniel\My Documents\Games\Sierra\HL\hl1110_full_update.exe Infected: not-a-virus:Server-Proxy.Win32.Hltv
C:\Documents and Settings\Nathaniel\rebates.exe/WEBREB~1.EXE Infected: not-a-virus:AdWare.WinAD.ao
C:\Documents and Settings\Nathaniel\rebates.exe Infected: not-a-virus:AdWare.WinAD.ao
C:\Program Files\bearshare\Installer\BSINSTALL.exe/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.SaveNow.z
C:\Program Files\bearshare\Installer\BSINSTALL.exe/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.SaveNow.z
C:\Program Files\bearshare\Installer\BSINSTALL.exe/WISE0023.BIN Infected: not-a-virus:AdWare.SaveNow.z
C:\Program Files\bearshare\Installer\BSINSTALL.exe/WISE0027.BIN Infected: not-a-virus:AdWare.SaveNow.bo
C:\Program Files\bearshare\Installer\BSINSTALL.exe Infected: not-a-virus:AdWare.SaveNow.bo
C:\Program Files\bearshare\Installer\saveinstwm.exe/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.SaveNow.z
C:\Program Files\bearshare\Installer\saveinstwm.exe/data0001.cab Infected: not-a-virus:AdWare.SaveNow.z
C:\Program Files\bearshare\Installer\saveinstwm.exe Infected: not-a-virus:AdWare.SaveNow.z
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP118\A0051002.exe/data0002 Infected: not-a-virus:AdWare.Broadcap.c
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP118\A0051002.exe Infected: not-a-virus:AdWare.Broadcap.c
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP119\A0051411.exe Infected: not-a-virus:AdWare.Sahat.m
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP121\A0057623.exe Infected: not-virus:Hoax.Win32.Renos.d
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP121\A0057638.exe Infected: Trojan-Proxy.Win32.Lager.t
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP121\A0057651.exe Infected: Trojan.Win32.LowZones.y
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP121\A0057652.exe Infected: not-virus:Hoax.Win32.Renos.d
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP121\A0057661.exe Infected: Trojan-Downloader.Win32.Small.avt
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP121\A0057662.exe Infected: Trojan-Downloader.Win32.Small.avt
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP121\A0057663.exe Infected: Trojan-Downloader.Win32.Small.avt
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP121\A0057664.exe Infected: Trojan-Downloader.Win32.Small.avt
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP121\A0057666.exe/data0003 Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP121\A0057666.exe Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP121\A0057667.exe Infected: Trojan-Downloader.Win32.Small.avt
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP121\A0057668.exe Infected: not-virus:Hoax.Win32.Renos.d
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP121\A0057671.dll Infected: Trojan.Win32.Agent.co
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP121\A0057675.exe Infected: Trojan-Downloader.Win32.Small.bct
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP122\A0058636.exe Infected: Trojan-Proxy.Win32.Lager.t
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP123\A0059639.exe Infected: Trojan-Proxy.Win32.Lager.t
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP123\A0060632.exe Infected: Trojan-Downloader.Win32.Small.avt
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP123\A0060633.dll Infected: Trojan.Win32.Agent.co
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP123\A0060635.exe Infected: Trojan-Downloader.Win32.Small.avt
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060660.exe Infected: Trojan-Proxy.Win32.Lager.t
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060661.exe Infected: Trojan-Downloader.Win32.Small.avt
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060662.exe Infected: Trojan-Downloader.Win32.Small.avt
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060664.dll Infected: Trojan.Win32.Agent.co
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060715.exe Infected: Trojan-Downloader.Win32.Small.avt
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060723.exe Infected: Trojan-Downloader.Win32.Small.avt
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060724.exe Infected: Trojan-Downloader.Win32.Small.avt
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060725.exe Infected: Trojan-Downloader.Win32.Small.avt
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060726.dll Infected: Trojan.Win32.Agent.co
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060729.exe Infected: Trojan-Downloader.Win32.Small.avt
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060740.exe Infected: not-virus:Hoax.Win32.Renos.d
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060744.dll Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060745.exe/data0003 Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060745.exe Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060749.exe Infected: Trojan-Downloader.Win32.Small.avt
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060750.exe Infected: Trojan-Proxy.Win32.Lager.s
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060752.exe Infected: Trojan-Proxy.Win32.Lager.s
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060756.exe Infected: Trojan-Downloader.Win32.Small.avt
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060778.exe Infected: not-virus:Hoax.Win32.Renos.d
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060779.dll Infected: Backdoor.Win32.Padodor.az
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060780.exe Infected: Backdoor.Win32.Padodor.az
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060781.exe Infected: Trojan.Win32.LowZones.y
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060782.exe Infected: Trojan-Downloader.Win32.Small.bct
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060924.sys Infected: Backdoor.Win32.Haxdoor.gen
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060925.sys Infected: Backdoor.Win32.Haxdoor.gen
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060943.msi/Data1.cab/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.14
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060943.msi/Data1.cab Infected: not-a-virus:Client-IRC.Win32.mIRC.14
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP124\A0060943.msi Infected: not-a-virus:Client-IRC.Win32.mIRC.14
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP135\A0063530.dll Infected: not-a-virus:AdWare.NavExcel.i
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP89\A0045200.rbf Infected: not-a-virus:Client-IRC.Win32.mIRC.14
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP95\A0046563.exe/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.SaveNow.z
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP95\A0046563.exe/data0001.cab Infected: not-a-virus:AdWare.SaveNow.z
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP95\A0046563.exe Infected: not-a-virus:AdWare.SaveNow.z
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP95\A0046564.exe/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.SaveNow.z
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP95\A0046564.exe/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.SaveNow.z
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP95\A0046564.exe/WISE0023.BIN Infected: not-a-virus:AdWare.SaveNow.z
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP95\A0046564.exe/WISE0027.BIN Infected: not-a-virus:AdWare.SaveNow.bo
C:\System Volume Information\_restore{E8D80984-BC7C-495C-BFA0-118E9A5282DE}\RP95\A0046564.exe Infected: not-a-virus:AdWare.SaveNow.bo
C:\WINDOWS\Downloaded Installations\{448A5AAF-26A0-4574-B76E-6C4166145AB1}\Recruit.msi/Data1.cab/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.14
C:\WINDOWS\Downloaded Installations\{448A5AAF-26A0-4574-B76E-6C4166145AB1}\Recruit.msi/Data1.cab Infected: not-a-virus:Client-IRC.Win32.mIRC.14
C:\WINDOWS\Downloaded Installations\{448A5AAF-26A0-4574-B76E-6C4166145AB1}\Recruit.msi Infected: not-a-virus:Client-IRC.Win32.mIRC.14

Scan process completed.

And the Hijackthis log is...

Logfile of HijackThis v1.99.1
Scan saved at 6:28:12 PM, on 7/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Documents and Settings\Nathaniel\My Documents\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O12 - Plugin for .pdf: c:\program files\adobe\acrobat 7.0\reader\browser\nppdf32.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol....oach_core_1.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1113790688109
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

That's everything.
  • 0

#14
Wizard
Posted 15 July 2005 - 02:39 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Did you delete all that Kaspersky found?

Open HijackThis and put a check next to these

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=userinit.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab

Make sure All Windows and Browsers are Closed and Click "Fix Checked"!


Post back and let me know if you notice a difference at all in the PCs performance!?
  • 0

#15
Pianoman16
Posted 15 July 2005 - 06:36 AM

Pianoman16

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 183 posts
I didn't touch anything that Kaspersky found...should I get rid of everything it found?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP