Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

My Hijack This log [RESOLVED]

Started by badger98 , Jul 14 2005 10:30 AM

  • This topic is locked This topic is locked

#1
badger98
Posted 14 July 2005 - 10:30 AM

badger98

    Member

  • Member
  • PipPip
  • 14 posts
I have non-stop pop-ups so I have tried to remove them using the directions describing how to remove dprmon.dll. But it didn't work for this computer. I then downloaded HijackThis and ran a scan so here I am. I guess I need to know what to remove/fix. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 11:14:32 AM, on 7/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\desk98.exe
C:\Program Files\SPT\Accessories Plus\clockplus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Netropa\OSD.exe
C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B2446DC1-205C-4B54-9F59-B0732C5A0169} - C:\WINDOWS\System32\ikk.dll
O2 - BHO: (no name) - {CDAC3A87-23A0-4CBD-B1B9-CE7AA9A8DDD7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [AccessoriesPlus] "C:\Program Files\SPT\Accessories Plus\clockplus.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to Monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to Monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O15 - Trusted Zone: www.nextsoft.com
O16 - DPF: {933EC14C-7B6A-4F8B-8770-820167956CC3} (ShapeShifter.Mask) - http://www.rovion.co...hapeshifter.cab
O16 - DPF: {D2E8379B-1DD3-4607-A1AC-88AA4064B7C0} (NextsoftLoginRDP Control) - http://www.nextsoft....oftLoginRDP.inf
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements

#2
Kat
Posted 14 July 2005 - 10:41 AM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...&DisplayLang=en
Apply the update, reboot, and post a fresh Hijack This log.
  • 0

#3
badger98
Posted 14 July 2005 - 01:19 PM

badger98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hey Kat,
I had an error pop up while installing the update.
"The file c:\windows\system32\ipnathlp.dll is open or in use by another application. Close all other applications and the click Retry."
  • 0

#4
Kat
Posted 14 July 2005 - 04:53 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
*Please go to http://www.howtotell.com (Microsoft website) using Internet Explorer.
*Click on "Windows Validation Assistant"
*Click on the "Validate Now" button.
*Be patient while the ActiveX loads, do not click on any links.
*Read the instructions on this page while it's loading. You will be prompted to install - click YES.
*Enter your product key then click "continue"
*When it says "Validation Complete" please click "Continue to return to your previous activity"
*Copy what it says and paste it here.
  • 0

#5
badger98
Posted 15 July 2005 - 07:51 AM

badger98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hey Kat,
Here is the final page on the validation Assistant. I ddidn't know if that is what you needed.

Thank you for running the Windows Validation Assistant. It appears that your Windows Product Key is valid.

This is a strong indicator that your operating system is genuine, however the Windows Validation Assistant cannot make a final determination.

The benefits of genuine Windows software include greater reliability, faster access to updates, and overall richer experiences. Users of genuine Windows are also eligible to receive special offers as part of the Windows Genuine Advantage program.

To verify that you received a genuine Certificate of Authenticity and software CD, compare your anti-piracy features in the next section.
  • 0

#6
Kat
Posted 15 July 2005 - 11:31 AM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Yes, that is what I needed! :tazz:

I will take a look at your log and post instructions for you later this afternoon. I have to take my daughters somewhere, but I will be back on around 5:30pm Central time today! I will get your fix written up then!
  • 0

#7
Kat
Posted 15 July 2005 - 02:25 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello again! You should either print these instructions, or save them to your desktop in a Notepad file. Part of the fix will require you to be in Safe Mode, and you will be unable to access the Internet at that time.

Please open HijackThis and scan for a log. Place a check next to each of the following entries only:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: (no name) - {B2446DC1-205C-4B54-9F59-B0732C5A0169} - C:\WINDOWS\System32\ikk.dll
O2 - BHO: (no name) - {CDAC3A87-23A0-4CBD-B1B9-CE7AA9A8DDD7} - (no file)

O4 - HKLM\..\Run: [AccessoriesPlus] "C:\Program Files\SPT\Accessories Plus\clockplus.exe"

O15 - Trusted Zone: www.nextsoft.com

O16 - DPF: {933EC14C-7B6A-4F8B-8770-820167956CC3} (ShapeShifter.Mask) - http://www.rovion.co...hapeshifter.cab
O16 - DPF: {D2E8379B-1DD3-4607-A1AC-88AA4064B7C0} (NextsoftLoginRDP Control) - http://www.nextsoft....oftLoginRDP.inf

Make sure all other windows/programs/browsers are closed. With only HJT running, click the "Fix Selected" button.

Reboot into Safe Mode, by continually tapping the F8 key as the machine begins to boot. you will be taken to a screen where you are given the option to enter Safe Mode.

Please uninstall the following programs by going to Start>Control Panel>Add and Remove Programs:
SPT


Please delete the following folders:
C:\Program Files\SPT

Delete the following files:
C:\WINDOWS\System32\ikk.dll

Reboot the computer normally.

Please download "Del Domain" from here

Download it to your desktop or somewhere you will find it. Extract the .inf file from the .zip file you just downloaded. Now right click "Deldomains.inf" and click "Install". It will not appear to have done anything, thats ok.


Please download CleanUp! and run it to remove any leftover remnants of infection. Click the CleanUp button, and let it scan and select any files it needs to remove. Once it is done, exit the program.



*Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.



After you have finished all of the above, please make a reply here. I need to see a copy of the Silent Runners log, as well as a fresh HijackThis log. Please also let me know how things are running! :tazz:
  • 0

#8
badger98
Posted 15 July 2005 - 03:26 PM

badger98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:23:11 PM, on 7/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\desk98.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Netropa\OSD.exe
C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Jeff\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Jeff\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Jeff\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to Monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to Monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O18 - Filter: text/html - {62A7F586-2A05-4D4B-A865-F1ACA97CA6AA} - C:\WINDOWS\System32\ikk.dll
O18 - Filter: text/plain - {62A7F586-2A05-4D4B-A865-F1ACA97CA6AA} - C:\WINDOWS\System32\ikk.dll
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Here is the Scan report for Silent runners.

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:25:54 AM, 6/28/2005
+ Report-Checksum: 146B5B39

+ Date of database: 6/28/2005
+ Version of scan engine: v3.0

+ Duration: 54 min
+ Scanned Files: 100436
+ Speed: 30.99 Files/Second
+ Infected files: 46
+ Removed files: 46
+ Files put in quarantine: 46
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\

+ Scan result:
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP685\A0046684.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\BvmUnst2.exe -> Spyware.Delf.ab -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1018.dll -> Spyware.Gator.1018 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.11\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.12\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.13\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.14\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.15\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1018.dll -> Spyware.Gator.1018 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1018.dll -> Spyware.Gator.1018 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1018.dll -> Spyware.Gator.1018 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\HDPlugin1018.dll -> Spyware.Gator.1018 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\HDPlugin1018.dll -> Spyware.Gator.1018 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1018.dll -> Spyware.Gator.1018 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\HDPlugin1018.dll -> Spyware.Gator.1018 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINDOWS\msopt.dll -> TrojanDownloader.Small.kq -> Cleaned with backup
C:\WINDOWS\SYSTEM\d2ka.exe -> Not-A-Virus.PornWare.Downloader.Tibsystems -> Cleaned with backup
C:\WINDOWS\SYSTEM\teen.exe -> Not-A-Virus.PornWare.Downloader.Tibsystems -> Cleaned with backup
C:\WINDOWS\SYSTEM32\6j892jktbc9bp8.dll -> Trojan.Krepper.r -> Cleaned with backup
C:\WINDOWS\SYSTEM32\d2kman.exe -> TrojanDownloader.Delf.ck -> Cleaned with backup
C:\WINDOWS\SYSTEM32\f3PSSavr.scr -> Spyware.MyWebSearch -> Cleaned with backup
C:\WINDOWS\SYSTEM32\mkfcdba.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\vbe@linkexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\vbe@media[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\vbe@ads[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\vbe@linkexchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\vbe@S113154[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\vbe@S116311[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\vbe@S0014-01-2-16-217494-54117[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\vbe@S 0014-01-2-16-217494-54117[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\WINDOWS\Cookies\vbe@S005-01-6-28-254547-85597[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End
  • 0

#9
badger98
Posted 15 July 2005 - 03:27 PM

badger98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hey Kat,
While I ran cleanup there was another popup. Not sure how things are going now I am going home for the night and will check back here Monday.

Thanks a lot.
  • 0

#10
badger98
Posted 15 July 2005 - 03:32 PM

badger98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hey kay,
I posted the wrong report. I hope that's all. Anyway, how much more do you think we'll have to do? Here is the Silent Runners report:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"DellTouch" = "C:\WINDOWS\MMKeybd.exe" ["Netropa Corp."]
"TCASUTIEXE" = "TCAUDIAG -off" [empty string]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"HydraVisionDesktopManager" = "desk98.exe" ["ATI Technologies Inc."]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."]
"sp" = "rundll32 C:\DOCUME~1\Jeff\LOCALS~1\Temp\se.dll,DllInstall" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\phototoys.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/html\CLSID = "{62A7F586-2A05-4D4B-A865-F1ACA97CA6AA}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ikk.dll" [file not found]
INFECTION WARNING! text/plain\CLSID = "{62A7F586-2A05-4D4B-A865-F1ACA97CA6AA}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ikk.dll" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Scheduled Tasks:
------------------------

"AA878159918837F1" -> launches: "c:\progra~1\storer~1\Coalpurenew.exe" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\INETREPL.DLL" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\INETREPL.DLL" [MS]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "blank" = "http://ultralinks.info/" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

3Com DMI Agent, 3ComDMIService, "C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE" ["3Com Corporation"]
Diskeeper, Diskeeper, "C:\Program Files\Executive Software\Diskeeper\DkService.exe" ["Executive Software International, Inc."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Netropa NHK Server, Nhksrv, "C:\WINDOWS\Nhksrv.exe" [null data]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "msikbd2k" ["Netropa Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 19 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 18 seconds.
---------- (total run time: 98 seconds)
  • 0

Advertisements

#11
Kat
Posted 15 July 2005 - 04:49 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
:tazz: You have somehow managed to get infected by yet another type of Malware. Let's hit this hard, ok? I want to get you cleaned up, and get you updated to SP2 before anything else installs itself. ;)

1. First, I need you to download a couple of programs we will need in order to get you cleaned up.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
2. Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

3. Please run about:buster by RubbeRDuckY:[list]
[*]Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
[*]Click Yes to allow it to shutdown explorer.exe.
[*]It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.

4. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

5. Now run SpSeHjfix.

6. Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files

7. Open HJT and scan for a log. Place a check next to each of the following (if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Jeff\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Jeff\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Jeff\LOCALS~1\Temp\se.dll,DllInstall

O18 - Filter: text/html - {62A7F586-2A05-4D4B-A865-F1ACA97CA6AA} - C:\WINDOWS\System32\ikk.dll
O18 - Filter: text/plain - {62A7F586-2A05-4D4B-A865-F1ACA97CA6AA} - C:\WINDOWS\System32\ikk.dll

Be sure nothing other than HJT is running, and click "Fix Selected"

8. Delete the following files:
C:\DOCUME~1\Jeff\LOCALS~1\Temp\se.dll
C:\WINDOWS\System32\ikk.dll

9. Reboot normally and post a fresh HJT log here in a reply!
  • 0

#12
badger98
Posted 18 July 2005 - 07:24 AM

badger98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hey Kat,
I forgot to say this Friday, but I couldn't find that ikk.dll file. Is there a place that it could be that I can't see?

Thanks,
Nathan
  • 0

#13
Kat
Posted 18 July 2005 - 09:59 AM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hi again! Make sure you can View hidden files and folders.

· Click Start.
· Open My Computer.
· Select the Tools menu and click Folder Options.
· Select the View Tab.
· Under the Hidden files and folders heading select Show hidden files and folders.
· Uncheck the Hide protected operating system files (recommended) option.
· Click Yes to confirm.
· Click OK.


Then reboot into Safe Mode again, and see if you can locate the file now. If not, just make sure you fixed it in HijackThis, then post me the log(s) I requested.
  • 0

#14
badger98
Posted 18 July 2005 - 12:07 PM

badger98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hey Kat,
Here it is. I hope this worked.

Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 1:04:09 PM, on 7/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\desk98.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Jeff\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to Monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to Monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {D2E8379B-1DD3-4607-A1AC-88AA4064B7C0} (NextsoftLoginRDP Control) - http://www.nextsoft....oftLoginRDP.inf
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#15
badger98
Posted 18 July 2005 - 12:59 PM

badger98

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hey Kat,
I have another question. There is a program that we need to log into on the internet to get into a server that is not allowed by firefox. I need to access the system, but internet explorer is not loading up.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP