Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

C:\WINNT\SYSTEM32\WININET.DLL [RESOLVED]

Started by mr trick , Sep 04 2005 03:50 AM

  • This topic is locked This topic is locked

#1
mr trick
Posted 04 September 2005 - 03:50 AM

mr trick

    Member

  • Member
  • PipPip
  • 10 posts
Hi,

My pc is currently infected with the troj.alemod virus. It has infected my winit.dll in the system32 file.
i'm running xp pro and have tried a few of the reg file fixer programs like you told others who have had this problem but they didn't seem to work... :tazz:
I guess it's time to ask for help! hehe

Thanks in advance for any help you can give me!

Here's my HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 7:00:26 PM, on 4/09/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Andrew Turvey\Desktop\wininet\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blazemail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {550E37A3-C014-4D12-9FAB-12E941368475} - C:\WINNT\System32\mbki.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program files\EPoX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CTRegRun] C:\WINNT\CTRegRun.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{819A8EAA-1F9C-4871-8491-65DE5EE8400C}: NameServer = 195.95.218.4,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC0669F4-4C33-462A-A034-5212E3565565}: NameServer = 195.95.218.4,85.255.112.9
O20 - Winlogon Notify: style2 - C:\WINNT\q596875_disk.dll
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINNT\SYSTEM32\LxrSG20s.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

I'm using PC Cillan Int Sec. Ad Aware and Microsoft AntiSpyware...

Ta :)
  • 0

Advertisements

#2
Buckeye_Sam
Posted 04 September 2005 - 08:07 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...&DisplayLang=en
Apply the update, reboot, and post a fresh Hijack This log.
  • 0

#3
mr trick
Posted 08 September 2005 - 03:34 AM

mr trick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi,

I've done the service pack 1 install.

Here's the latest log:

Logfile of HijackThis

v1.99.1
Scan saved at 7:32:27 PM,

on 8/09/2005
Platform: Windows XP SP1

(WinNT 5.01.2600)
MSIE: Internet Explorer

v6.00 SP1

(6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.ex

e
C:\WINNT\system32\winlogo

n.exe
C:\WINNT\system32\service

s.exe
C:\WINNT\system32\lsass.e

xe
C:\WINNT\system32\svchost

.exe
C:\WINNT\System32\svchost

.exe
C:\WINNT\system32\spoolsv

.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common

Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTE

RN~1\PcCtlCom.exe
C:\WINNT\System32\svchost

.exe
C:\PROGRA~1\TRENDM~1\INTE

RN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTE

RN~1\tmproxy.exe
C:\WINNT\System32\MsPMSPS

v.exe
C:\PROGRA~1\TRENDM~1\INTE

RN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTE

RN~1\PccGuide.exe
C:\WINNT\System32\msiexec

.exe
C:\WINNT\System32\sstray.

exe
C:\Program

files\EPoX\USDM\USDM.EXE
C:\Program

Files\Winamp\winampa.exe
C:\WINNT\CTRegRun.EXE
C:\Program Files\Common

Files\Microsoft

Shared\Works

Shared\WkUFind.exe
C:\Program

Files\Creative\Product

Registration\English\Inet

Reg.exe
C:\Program

Files\Messenger\msmsgs.ex

e
C:\WINNT\System32\ctfmon.

exe
C:\Program

Files\Microsoft

AntiSpyware\gcasDtServ.ex

e
C:\Program Files\Belkin

Wireless\Belkin Wireless

Keyboard\MagicKey.exe
C:\Program Files\Belkin

Wireless\Belkin Wireless

Mouse\MouseAp.exe
C:\Program Files\Belkin

Wireless\Belkin Wireless

Keyboard\OSD.EXE
C:\Palm\HOTSYNC.EXE
C:\Program

Files\Hewlett-Packard\Dig

ital

Imaging\bin\hpohmr08.exe
C:\Program

Files\Hewlett-Packard\Dig

ital

Imaging\bin\hpotdd01.exe
C:\Program

Files\Hewlett-Packard\Dig

ital

Imaging\bin\hpoevm08.exe
C:\Program

Files\Hewlett-Packard\Dig

ital

Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet

Explorer\iexplore.exe
C:\Documents and

Settings\Andrew

Turvey\Desktop\wininet\Hi

jackThis.exe

R0 -

HKCU\Software\Microsoft\I

nternet

Explorer\Main,Start Page

=

http://www.blazemail.com/
R1 -

HKLM\Software\Microsoft\I

nternet

Explorer\Main,Search Page

= about:blank
R0 -

HKLM\Software\Microsoft\I

nternet

Explorer\Main,Start Page

=
R0 -

HKLM\Software\Microsoft\I

nternet

Explorer\Search,SearchAss

istant = about:blank
R1 -

HKCU\Software\Microsoft\W

indows\CurrentVersion\Int

ernet

Settings,ProxyOverride =

127.0.0.1;http://localhos

t
O2 - BHO: AcroIEHlprObj

Class -

{06849E9F-C8D7-4D59-B87D-

784B7D6BE0B3} -

C:\Program

Files\Adobe\Acrobat

5.0\Reader\ActiveX\AcroIE

Helper.ocx
O2 - BHO: (no name) -

{243B17DE-77C7-46BF-B94B-

0B5F309A0E64} -

C:\Program

Files\Microsoft

Money\System\mnyside.dll
O2 - BHO: (no name) -

{550E37A3-C014-4D12-9FAB-

12E941368475} -

C:\WINNT\System32\mbki.dl

l (file missing)
O2 - BHO: (no name) -

{5C8B2A36-3DB1-42A4-A3CB-

D426709BBFEB} - (no file)
O2 - BHO: (no name) -

{FDD3B846-8D59-4ffb-8758-

209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-

00A0C9082467} -

C:\WINNT\System32\msdxm.o

cx
O4 - HKLM\..\Run:

[Synchronization Manager]

mobsync.exe /logon
O4 - HKLM\..\Run: [nForce

Tray Options] sstray.exe

/r
O4 - HKLM\..\Run:

[EPoXUSDM] "C:\Program

files\EPoX\USDM\USDM.EXE"

"5000"
O4 - HKLM\..\Run:

[NeroFilterCheck]

C:\WINNT\system32\NeroChe

ck.exe
O4 - HKLM\..\Run:

[WinampAgent] C:\Program

Files\Winamp\winampa.exe
O4 - HKLM\..\Run:

[CTRegRun]

C:\WINNT\CTRegRun.EXE
O4 - HKLM\..\Run:

[pccguide.exe]

"C:\Program Files\Trend

Micro\Internet Security

2005\pccguide.exe"
O4 - HKLM\..\Run:

[Microsoft Works Update

Detection] C:\Program

Files\Common

Files\Microsoft

Shared\Works

Shared\WkUFind.exe
O4 - HKLM\..\Run:

[gcasServ] "C:\Program

Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run:

[MSMSGS] "C:\Program

Files\Messenger\msmsgs.ex

e" /background
O4 - HKCU\..\Run:

[ctfmon.exe]

C:\WINNT\System32\ctfmon.

exe
O4 - Global Startup:

Enable Belkin Wireless

Keyboard Driver.lnk =

C:\Program Files\Belkin

Wireless\Belkin Wireless

Keyboard\MagicKey.exe
O4 - Global Startup:

Enable Belkin Wireless

Mouse Driver.lnk =

C:\Program Files\Belkin

Wireless\Belkin Wireless

Mouse\MouseAp.exe
O4 - Global Startup:

HotSync Manager.lnk =

C:\Palm\HOTSYNC.EXE
O4 - Global Startup: hp

instant support.lnk =

C:\Program

Files\Hewlett-Packard\hpi

s\bin\matcli.exe
O4 - Global Startup: hp

psc 1000 series.lnk = ?
O4 - Global Startup:

hpoddt01.exe.lnk = ?
O4 - Global Startup:

Microsoft Office.lnk =

C:\Program

Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu

item: E&xport to

Microsoft Excel -

res://C:\PROGRA~1\MICROS~

2\Office10\EXCEL.EXE/3000
O9 - Extra button:

MoneySide -

{E023F504-0C5A-4750-A1E7-

A9046DEA8A21} -

C:\Program

Files\Microsoft

Money\System\mnyside.dll
O12 - Plugin for .spop:

C:\Program Files\Internet

Explorer\Plugins\NPDocBox

.dll
O17 -

HKLM\System\CCS\Services\

Tcpip\..\{819A8EAA-1F9C-4

871-8491-65DE5EE8400C}:

NameServer =

195.95.218.4,85.255.112.9
O17 -

HKLM\System\CCS\Services\

Tcpip\..\{CC0669F4-4C33-4

62A-A034-5212E3565565}:

NameServer =

195.95.218.4,85.255.112.9
O20 - Winlogon Notify:

style2 -

C:\WINNT\q596875_disk.dll
O23 - Service: Lexar SG20

(LxrSG20s) - Unknown

owner -

C:\WINNT\SYSTEM32\LxrSG20

s.exe
O23 - Service: Trend

Micro Central Control

Component (PcCtlCom) -

Trend Micro Incorporated.

-

C:\PROGRA~1\TRENDM~1\INTE

RN~1\PcCtlCom.exe
O23 - Service: Pml Driver

HPZ12 - HP -

C:\WINNT\System32\HPZipm1

2.exe
O23 - Service: Trend

Micro Real-time Service

(Tmntsrv) - Trend Micro

Incorporated. -

C:\PROGRA~1\TRENDM~1\INTE

RN~1\Tmntsrv.exe
O23 - Service: Trend

Micro Personal Firewall

(TmPfw) - Trend Micro

Inc. -

C:\PROGRA~1\TRENDM~1\INTE

RN~1\TmPfw.exe
O23 - Service: Trend

Micro Proxy Service

(tmproxy) - Trend Micro

Inc. -

C:\PROGRA~1\TRENDM~1\INTE

RN~1\tmproxy.exe

Thanks again!
:tazz:
  • 0

#4
Buckeye_Sam
Posted 08 September 2005 - 05:25 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
That's great! But there's no way I can read that log. Please check the formatting on notepad or whatever program you are using to view your log and repost it.
  • 0

#5
mr trick
Posted 09 September 2005 - 03:09 AM

mr trick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hey buddy,
sorry bout that!! Here's a better post, my bad :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 7:32:27 PM, on 8/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINNT\System32\msiexec.exe
C:\WINNT\System32\sstray.exe
C:\Program files\EPoX\USDM\USDM.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINNT\CTRegRun.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Creative\Product Registration\English\InetReg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andrew Turvey\Desktop\wininet\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blazemail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {550E37A3-C014-4D12-9FAB-12E941368475} - C:\WINNT\System32\mbki.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program files\EPoX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CTRegRun] C:\WINNT\CTRegRun.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{819A8EAA-1F9C-4871-8491-65DE5EE8400C}: NameServer = 195.95.218.4,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC0669F4-4C33-462A-A034-5212E3565565}: NameServer = 195.95.218.4,85.255.112.9
O20 - Winlogon Notify: style2 - C:\WINNT\q596875_disk.dll
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINNT\SYSTEM32\LxrSG20s.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

can you find it in your heart to forgive me??!! :)

Cheers,

Andrew.
  • 0

#6
Buckeye_Sam
Posted 09 September 2005 - 03:30 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Aaaahhh...that's much better. :tazz:

It looks like you have a few separate issues, so we're going to take them one at a time.

Please download SmitRem.zip
  • Save the file to your desktop.
  • Right click on the file and extract it to it's own folder on the desktop.


Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.



Once in Safe mode, follow these steps:
  • Open the smitRem folder, then double click the RunThis.bat file to start the tool.
  • Follow the prompts on screen.
  • Wait for the tool to complete and disk cleanup to finish.
  • The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Post the log file from Smitrem as well as a new hijackthis log.
  • 0

#7
mr trick
Posted 10 September 2005 - 12:54 AM

mr trick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
howdy!!
well stuffs starting to happen!! :)
woohoo :tazz:

anywho, here's the hijackthis log and the smitrem log in that particular order :)

Logfile of HijackThis v1.99.1
Scan saved at 4:49:04 PM, on 10/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\sstray.exe
C:\Program files\EPoX\USDM\USDM.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINNT\CTRegRun.EXE
C:\Program Files\Creative\Product Registration\English\InetReg.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINNT\System32\ctfmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Andrew Turvey\Desktop\wininet\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blazemail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {550E37A3-C014-4D12-9FAB-12E941368475} - C:\WINNT\System32\mbki.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program files\EPoX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CTRegRun] C:\WINNT\CTRegRun.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{819A8EAA-1F9C-4871-8491-65DE5EE8400C}: NameServer = 195.95.218.4,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC0669F4-4C33-462A-A034-5212E3565565}: NameServer = 195.95.218.4,85.255.112.9
O20 - Winlogon Notify: style2 - C:\WINNT\q596875_disk.dll
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINNT\SYSTEM32\LxrSG20s.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


and smitrem now....


smitRem log file
version 2.3

by noahdfear

The current date is: Sat 10/09/2005
The current time is: 16:37:17.28

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShudderLTD key present! Running LTDFix!

ShudderLTD key was successfully removed! :)


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :ph34r:


i love it when it says that (wininet.dll CLEAN!)
yay!!
what next??
cheers mate! thanks for all your help btw!
andrew.
  • 0

#8
Buckeye_Sam
Posted 10 September 2005 - 04:04 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
One down! :tazz:
Let's see what else we can turn up.

Download and save backlight to your desktop. Doubleclick blbeta.exe, accept the agreement, leave [X]scan through Windows Explorer checked, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
  • 0

#9
mr trick
Posted 11 September 2005 - 12:42 AM

mr trick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
hey buddy,

i ran the blacklight proggy :tazz: .... here's the log...

09/11/05 16:38:31 [Info]: BlackLight Engine 1.0.23 initialized
09/11/05 16:38:31 [Info]: OS: 5.1 build 2600 (Service Pack 1)
09/11/05 16:38:31 [Note]: 4019 0
09/11/05 16:38:31 [Note]: 4019 1
09/11/05 16:38:31 [Note]: 4019 2
09/11/05 16:38:31 [Note]: 4019 3
09/11/05 16:38:31 [Note]: 4019 4
09/11/05 16:38:31 [Note]: 4005 0
09/11/05 16:38:42 [Note]: 4006 0
09/11/05 16:38:42 [Note]: 4011 1068
09/11/05 16:38:43 [Note]: FSRAW library version 1.7.1011
09/11/05 16:41:20 [Note]: 4007 0

is that good??!! :)

ta again,

andrew.
  • 0

#10
Buckeye_Sam
Posted 11 September 2005 - 06:29 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Yes, that's good! Nothing showed up in that scan.

Please make sure that you can View Hidden Files
  • Click Start -> My Computer
  • Select Tools -> Folder options
  • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
  • Also make sure that 'Display the contents of system folders' is checked.
For more info on how to show hidden files click here.



Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {550E37A3-C014-4D12-9FAB-12E941368475} - C:\WINNT\System32\mbki.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
017 - HKLM\System\CCS\Services\Tcpip\..\{819A8EAA-1F9C-4871-8491-65DE5EE8400C}: NameServer = 195.95.218.4,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC0669F4-4C33-462A-A034-5212E3565565}: NameServer = 195.95.218.4,85.255.112.9
O20 - Winlogon Notify: style2 - C:\WINNT\q596875_disk.dll



Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.




Once in Safe mode, delete this file:

C:\WINNT\q596875_disk.dll


Reboot your computer to go back to normal mode and post a new log.
  • 0

Advertisements

#11
mr trick
Posted 12 September 2005 - 03:23 AM

mr trick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
hey mate,

well everything worked untill i tried to delete that system file:

C:\WINNT\q596875_disk.dll

it kept popping up with an error saying that i either didn't have access or the file was in use... :)

so i closed absolutely everything except win explorer (which was nothing anyway, coz i'm in safe mode (der)), but it still wouldn't let me delete it. so i promptly picked up my puter and threw it across the room and screamed "why me, god?? WHY ME?!?"

nah, there's absolutely no truth to that last statement at all!! hehe

here's the hijack log...

Logfile of HijackThis v1.99.1
Scan saved at 7:16:55 PM, on 12/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\sstray.exe
C:\Program files\EPoX\USDM\USDM.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINNT\CTRegRun.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Creative\Product Registration\English\InetReg.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andrew Turvey\Desktop\wininet\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blazemail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program files\EPoX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CTRegRun] C:\WINNT\CTRegRun.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINNT\SYSTEM32\LxrSG20s.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

how am i to delete this scary file?? i don't even know why i'm scared of it!! :) hehe

at a later date mate!!
tata :tazz:

andrew.
  • 0

#12
mr trick
Posted 12 September 2005 - 03:27 AM

mr trick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
p.s. should i b sp2'ing my puter maybe?
:tazz:
  • 0

#13
Buckeye_Sam
Posted 12 September 2005 - 04:55 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I do recommend SP2, but not until you are free of malware. Updating to SP2 when you are infected can cause serious problems.

Download KillBox and unzip it to your desktop.

Open Killbox and select the Delete on reboot option.
Copy and paste the following file to the field labeled "Full path of file to delete"

C:\WINNT\q596875_disk.dll

Press the Delete button (the button that looks like a red circle with a white X in it).
A first dialog box will ask if you want to delete the file on reboot, press the YES button.
A second dialog box will ask you if you want to REBOOT now. Press the YES button.

Your computer will reboot.



Please post a new hijackthis log. Let me know how things feel on your end.
  • 0

#14
mr trick
Posted 13 September 2005 - 02:29 AM

mr trick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
howdy!

I followed your advice, and it all seems to have gone well... :tazz:
here's a new log:

Logfile of HijackThis v1.99.1
Scan saved at 6:27:12 PM, on 13/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\sstray.exe
C:\Program files\EPoX\USDM\USDM.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINNT\CTRegRun.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Creative\Product Registration\English\InetReg.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\OSD.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Andrew Turvey\Desktop\wininet\HijackThis.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareUpdater.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blazemail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program files\EPoX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CTRegRun] C:\WINNT\CTRegRun.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Global Startup: Enable Belkin Wireless Keyboard Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Keyboard\MagicKey.exe
O4 - Global Startup: Enable Belkin Wireless Mouse Driver.lnk = C:\Program Files\Belkin Wireless\Belkin Wireless Mouse\MouseAp.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINNT\SYSTEM32\LxrSG20s.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

are we all good??

drewsky. :)
  • 0

#15
mr trick
Posted 17 September 2005 - 12:54 AM

mr trick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hello?

we must be all done i spose?

u've gone all samurai and disappeared on me...?! :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP