Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

W32.Desktophijack HELP please!

Started by Jmg90300zx , Sep 20 2005 07:40 AM

  • Please log in to reply

#1
Jmg90300zx
Posted 20 September 2005 - 07:40 AM

Jmg90300zx

    Member

  • Member
  • PipPip
  • 33 posts
So recently I have Norton Antivirus telling me that I have the W32.Desktophijack virus. I have followed all directions through norton, and just about everything else I can figure out. The virus still remains. It is saying that the file C:\Windows1\system32\wininet.dll is infected. If anyone can help it would be greatfully appreciated!!

Logfile of HijackThis v1.99.1
Scan saved at 6:33:51 AM, on 9/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\csrss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\WINDOWS1\Explorer.EXE
C:\WINDOWS1\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS1\System32\CTHELPER.EXE
C:\WINDOWS1\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS1\System32\ctfmon.exe
C:\WINDOWS1\System32\wdfmgr.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS1\wanmpsvc.exe
C:\Program Files\CompuServe 7.0b\wcs2000.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jon.JON-8HX8MZ3KHTU\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JON~1.JON\LOCALS~1\Temp\se.dll/spage.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS1\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS1\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS1\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125267220564
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://intercall.we...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39D31279-01A8-4849-97E3-855961F63D3D}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{72FB1A70-2593-45FC-8D24-C280CCAE0208}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFDBE60B-18A4-4833-B14A-01C31A3613AC}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{39D31279-01A8-4849-97E3-855961F63D3D}: NameServer = 205.188.146.145
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS1\wanmpsvc.exe


Thanks!!!
  • 0

Advertisements

#2
tampabelle
Posted 20 September 2005 - 08:11 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...&DisplayLang=en
Apply the update, reboot, and post a fresh Hijack This log.
  • 0

#3
Jmg90300zx
Posted 20 September 2005 - 08:24 PM

Jmg90300zx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Ok here is the log. Ive done 2 things since earlier, I updated to SP1a as instructed, also I removed my selective startup (msconfig.exe) and returned it to a normal startup. The problem I was having was it was just loading too much junk, and I couldnt figure out how to stop it so I used selective startup.

here is the new log file:

Logfile of HijackThis v1.99.1
Scan saved at 7:15:52 PM, on 9/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS1\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS1\System32\CTHELPER.EXE
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS1\System32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS1\System32\popcorn72.exe
C:\WINDOWS1\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS1\System32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jon.JON-8HX8MZ3KHTU\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS1\System32\msblank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JON~1.JON\LOCALS~1\Temp\se.dll/spage.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOWS1\System32\hclean32.exe
O4 - HKLM\..\Run: [System Restore] svcnet.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS1\UpdReg.EXE
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [System backup] C:\WINDOWS1\System32\web.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS1\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS1\System32\ctfmon.exe
O4 - HKCU\..\Run: [System Restore] svcnet.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [updatelavasoft] C:\WINDOWS1\System32\updatelavasoft.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0b\cstray.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS1\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125267220564
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127256435424
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://intercall.we...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72FB1A70-2593-45FC-8D24-C280CCAE0208}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFDBE60B-18A4-4833-B14A-01C31A3613AC}: NameServer = 195.95.218.18,85.255.112.11
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS1\wanmpsvc.exe

Thanks for the help!!
  • 0

#4
tampabelle
Posted 21 September 2005 - 09:20 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,

Thanks for enabling all the items in your startup !!! Now we can see all the infections and tackle them.

Now that I have picked up the topic. I will be monitoring it on a regular basis and my responses will be quick and fast.

You have the wareout infection, apart from others. We will get rid of this one first.

Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#5
Jmg90300zx
Posted 21 September 2005 - 09:44 PM

Jmg90300zx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hope this works for ya... let me know!!

Thanks


"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS1\System32\ctfmon.exe" [MS]
"System Restore" = "svcnet.exe" [file not found]
"WareOut" = ""C:\Program Files\WareOut\WareOut.exe"" [file not found]
"updatelavasoft" = "C:\WINDOWS1\System32\updatelavasoft.exe" [file not found]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"CTStartup" = ""C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play" ["Creative Technology Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"winlogon.exe" = "msole32.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTStartup" = ""C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run" ["Creative Technology Ltd."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"hpppta" = "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON" ["Hewlett-Packard Company"]
"CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"hclean32.exe" = "C:\WINDOWS1\System32\hclean32.exe" [null data]
"System Restore" = "svcnet.exe" [file not found]
"UpdReg" = "C:\WINDOWS1\UpdReg.EXE" ["Creative Technology Ltd."]
"Ulead Quick-Drop" = ""C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL" [file not found]
"System backup" = "C:\WINDOWS1\System32\web.exe" [file not found]
"RoxioEngineUtility" = ""C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"" ["Roxio"]
"RoxioDragToDisc" = ""C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"" ["Roxio"]
"RoxioAudioCentral" = ""C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"" ["Roxio, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ControlPanel" = "C:\WINDOWS1\System32\popcorn72.exe rundll.dll,LoadMouseProfile" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS1\System32\hticons.dll" ["Hilgraeve, Inc."]
"{D1FB6C78-10FD-45cd-8FF4-8267D62992FB}" = "CompuServe"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\csshare\shell\us\shellext.dll" ["CompuServe Interactive Services, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS1\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS1\System32\Audiodev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6b5 (beta test) Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6b5 (beta test) DragDrop Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6b5 (beta test) Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6b5 (beta test) Property Sheet Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{DBD8E168-244D-448C-9922-25508950D1DC}" = "Ulead UDF Driver"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll" [file not found]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll" ["Roxio"]
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}" = "My Media"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll" ["Roxio, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csles.exe" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
yEnc32\(Default) = "{8CDA2F05-B2BA-4AC7-B731-51E9E6B006E1}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\eSite Media\yEnc32\yEnc32Shell.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "ForceActiveDesktopOn"=dword:00000001
[enables Active Desktop and prevents disabling it]
{User Configuration|Administrative Templates|Desktop|Active Desktop|
Enable Active Desktop}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop enabled via Group Policy.

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\Jon.JON-8HX8MZ3KHTU\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS1\System32\ssstars.scr" [MS]


Startup items in "Jon" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\All Users.WINDOWS1\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"CompuServe 7.0 Tray Icon" -> shortcut to: "C:\Program Files\CompuServe 7.0b\cstray.exe -check" ["CompuServe Interactive Services, Inc."]
"Image Transfer" -> shortcut to: "C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe" [null data]
"MA111 Configuration Utility" -> shortcut to: "C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Jon" -> launches: "C:\PROGRA~1\NORTON~2\Navw32.exe /task:"C:\Documents and Settings\All Users.WINDOWS1\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [file not found]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS1\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{77E68763-4284-41D6-B7E7-B6E1F053A9E7}\
"ButtonText" = "EmpirePoker"
"MenuText" = "EmpirePoker"
"Exec" = "C:\Program Files\EmpirePoker\EmpirePoker.exe" [file not found]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"


HOSTS file
----------

C:\WINDOWS1\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS1\wanmpsvc.exe"" ["America Online, Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 110 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 67 seconds.
---------- (total run time: 307 seconds)
  • 0

#6
tampabelle
Posted 22 September 2005 - 09:01 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Copy everything in the quote box below (starting with REGEDIT4) and paste it into Notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixware.reg on your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""

Double-click fixware.reg and when asked if you want to merge with the registry click YES.

After the merged successfully prompt, please reboot your computer.

After reboot, please download RKFiles from HERE
  • Unzip RKfiles.zip to the desktop
  • Double-click RKFiles.bat to run it.
    • It may take a while.
  • When it is finished a window should appear with a log.
  • Please copy the contents of the log and paste them here
    • Note: the log with be saved at c:\log.txt

  • 0

#7
Jmg90300zx
Posted 22 September 2005 - 10:40 PM

Jmg90300zx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Here we go... thanks for all your help!!

C:\Documents and Settings\Jon.JON-8HX8MZ3KHTU\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS1\system32\mc-58-12-0000093.exe: UPX!
C:\WINDOWS1\system32\ntfsnlpa.exe: UPX!
C:\WINDOWS1\system32\rdsndin.exe: UPX!
C:\WINDOWS1\system32\c4t.exe: FSG!
C:\WINDOWS1\system32\cfgrbkrend.exe: FSG!
C:\WINDOWS1\system32\gpsresl32.exe: FSG!
C:\WINDOWS1\system32\msexnpbi.exe: PEFSG!
C:\WINDOWS1\system32\msexnpfi.exe: PEFSG!
C:\WINDOWS1\system32\popcorn72.exe: FSG!
C:\WINDOWS1\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS1\system32\DivX.dll: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye
  • 0

#8
tampabelle
Posted 23 September 2005 - 08:00 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
* Please download the Killbox by Option^Explicit.

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + CC:\WINDOWS1\system32\mc-58-12-0000093.exe
C:\WINDOWS1\system32\ntfsnlpa.exe
C:\WINDOWS1\system32\rdsndin.exe
C:\WINDOWS1\system32\c4t.exe
C:\WINDOWS1\system32\cfgrbkrend.exe
C:\WINDOWS1\system32\gpsresl32.exe
C:\WINDOWS1\system32\msexnpbi.exe
C:\WINDOWS1\system32\msexnpfi.exe
C:\WINDOWS1\system32\popcorn72.exe
C:\Program Files\WareOut
C:\WINDOWS1\System32\hclean32.exe
C:\WINDOWS1\System32\web.exe
C:\WINDOWS1\System32\svcnet.exe
C:\WINDOWS1\System32\csles.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.
[/list]After reboot, post a new HiJackThis log here.
  • 0

#9
Jmg90300zx
Posted 23 September 2005 - 09:19 AM

Jmg90300zx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Here ya go!

Logfile of HijackThis v1.99.1
Scan saved at 8:18:32 AM, on 9/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\WINDOWS1\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS1\System32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS1\System32\ctfmon.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS1\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS1\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS1\System32\wuauclt.exe
C:\WINDOWS1\System32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jon.JON-8HX8MZ3KHTU\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS1\System32\msblank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JON~1.JON\LOCALS~1\Temp\se.dll/spage.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [System Restore] svcnet.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS1\UpdReg.EXE
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [System backup] C:\WINDOWS1\System32\web.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS1\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS1\System32\ctfmon.exe
O4 - HKCU\..\Run: [System Restore] svcnet.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [updatelavasoft] C:\WINDOWS1\System32\updatelavasoft.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0b\cstray.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS1\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125267220564
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127256435424
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://intercall.we...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72FB1A70-2593-45FC-8D24-C280CCAE0208}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFDBE60B-18A4-4833-B14A-01C31A3613AC}: NameServer = 195.95.218.18,85.255.112.11
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS1\wanmpsvc.exe
  • 0

#10
tampabelle
Posted 23 September 2005 - 09:28 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.


1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
SpSeHjfix.
DelDomains.inf
CWShredder

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder

2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS1\System32\msblank.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [System Restore] svcnet.exe
O4 - HKLM\..\Run: [System backup] C:\WINDOWS1\System32\web.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS1\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKCU\..\Run: [System Restore] svcnet.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O17 - HKLM\System\CCS\Services\Tcpip\..\{72FB1A70-2593-45FC-8D24-C280CCAE0208}: NameServer = 195.95.218.18,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFDBE60B-18A4-4833-B14A-01C31A3613AC}: NameServer = 195.95.218.18,85.255.112.11

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.


Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

3. Delete Rogue files

Open Windows Explorer (right click on Start and then click on explore). Delete the following files, if found -

svcnet.exe
C:\WINDOWS1\System32\web.exe
C:\WINDOWS1\System32\popcorn72.exe
C:\Program Files\WareOut <----- Full folder

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
  • 0

Advertisements

#11
Jmg90300zx
Posted 23 September 2005 - 03:48 PM

Jmg90300zx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Ok... no real problems. Except when I ran Spsehjfix, it didn't reboot like it said it was going to. I read the log, and it basically said that It need a reboot. Also the "Rogue" files I could not find, and therefore assume they must have already been deleted, and I was viewing hidden files as well. Also CWShredder found nothing, and cleanup cleaned a good 12,000 files!! On the Kapersky online scan it asks what to scan... I chose "My Computer" versus the other options like email etc.

Here are the logs as requested:

SPSeHjFix log:

(9/23/05 10:21:07 AM) SPSeHjFix started v1.1.2
(9/23/05 10:21:07 AM) OS: WinXP Service Pack 1 (5.1.2600)
(9/23/05 10:21:07 AM) Language: english
(9/23/05 10:21:07 AM) Win-Path: C:\WINDOWS1
(9/23/05 10:21:07 AM) System-Path: C:\WINDOWS1\System32
(9/23/05 10:21:07 AM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(9/23/05 10:21:10 AM) Disinfection started
(9/23/05 10:21:10 AM) Bad-Dll(IEP): c:\docume~1\jon~1.jon\locals~1\temp\se.dll
(9/23/05 10:21:10 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:21:10 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:21:10 AM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\jon~1.jon\locals~1\temp\se.dll/spage.html
(9/23/05 10:21:10 AM) Stealth-String not found
(9/23/05 10:21:10 AM) No locked Files to delete. End without Reboot
(9/23/05 10:21:32 AM) Disinfection started
(9/23/05 10:21:32 AM) Bad-Dll(IEP): c:\docume~1\jon~1.jon\locals~1\temp\se.dll
(9/23/05 10:21:32 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:21:32 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:21:32 AM) Bad IE-pages: (none)
(9/23/05 10:21:32 AM) Stealth-String not found
(9/23/05 10:21:32 AM) No locked Files to delete. End without Reboot
(9/23/05 10:24:19 AM) Disinfection started
(9/23/05 10:24:19 AM) Bad-Dll(IEP): c:\docume~1\jon~1.jon\locals~1\temp\se.dll
(9/23/05 10:24:19 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:24:19 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:24:19 AM) Bad IE-pages: (none)
(9/23/05 10:24:19 AM) Stealth-String not found
(9/23/05 10:24:19 AM) No locked Files to delete. End without Reboot
(9/23/05 10:24:20 AM) Disinfection started
(9/23/05 10:24:20 AM) Bad-Dll(IEP): c:\docume~1\jon~1.jon\locals~1\temp\se.dll
(9/23/05 10:24:20 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:24:20 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:24:20 AM) Bad IE-pages: (none)
(9/23/05 10:24:20 AM) Stealth-String not found
(9/23/05 10:24:20 AM) No locked Files to delete. End without Reboot
(9/23/05 10:24:20 AM) Disinfection started
(9/23/05 10:24:20 AM) Bad-Dll(IEP): c:\docume~1\jon~1.jon\locals~1\temp\se.dll
(9/23/05 10:24:20 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:24:20 AM) UBF: 7 - UBB: 0 - UBR: 11
(9/23/05 10:24:20 AM) Bad IE-pages: (none)
(9/23/05 10:24:20 AM) Stealth-String not found
(9/23/05 10:24:20 AM) No locked Files to delete. End without Reboot


Kaspersky log: VERY SLOWWWW!!!

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, September 23, 2005 14:46:40
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 23/09/2005
Kaspersky Anti-Virus database records: 141809
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 64939
Number of viruses found: 8
Number of infected objects: 43
Number of suspicious objects: 0
Duration of the scan process: 13239 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OfficeTools.hta Infected: Trojan-Dropper.VBS.Inor.bt
C:\My Shared Folder\Windows XP SP2 KeyGen.exe Infected: P2P-Worm.Win32.Tibick
C:\Program Files\Norton AntiVirus\Quarantine\00A00DCB.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\Program Files\Norton AntiVirus\Quarantine\00B409B5.exe Infected: Trojan.Win32.Qhost.df
C:\Program Files\Norton AntiVirus\Quarantine\069F6FC0.exe Infected: Trojan.Win32.Qhost.df
C:\Program Files\Norton AntiVirus\Quarantine\0C157988.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\Program Files\Norton AntiVirus\Quarantine\15527FE5.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\Program Files\Norton AntiVirus\Quarantine\156925CC.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\Program Files\Norton AntiVirus\Quarantine\158D73A4.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\Program Files\Norton AntiVirus\Quarantine\1E552687.exe Infected: P2P-Worm.Win32.Tibick
C:\Program Files\Norton AntiVirus\Quarantine\46FF1D83.exe Infected: Trojan.Win32.Qhost.df
C:\Program Files\Norton AntiVirus\Quarantine\47091B78.exe Infected: Trojan.Win32.Qhost.df
C:\Program Files\Norton AntiVirus\Quarantine\68C7337F.exe Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP12\A0001184.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP12\A0001198.exe Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP13\A0001209.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP13\A0001212.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP13\A0001221.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP13\A0001230.exe Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP13\A0001233.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP13\A0001245.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP13\A0001252.exe Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP13\A0001253.exe Infected: P2P-Worm.Win32.Tibick
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP14\A0002203.dll Infected: Virus.Win32.Nsag.a
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP15\A0004057.dll Infected: Virus.Win32.Nsag.a
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP25\A0005065.dll Infected: Virus.Win32.Nsag.a
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP25\A0005183.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP25\A0005292.exe Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP42\A0006953.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP42\A0006961.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP42\A0006968.exe Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP44\A0007023.exe Infected: Trojan.Win32.Qhost.df
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP44\A0007030.exe Infected: Trojan-Downloader.Win32.Small.bgv
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP44\A0007031.exe Infected: Trojan-Downloader.Win32.Agent.sy
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP44\A0007034.exe Infected: Trojan-Downloader.Win32.Agent.sy
C:\System Volume Information\_restore{EB63D5DD-ABB1-45E4-82F6-07BB29787DBF}\RP44\A0007035.exe Infected: Trojan-Dropper.Win32.Vidro.u
C:\WINDOWS1\hisistheurls.exe/archive comment Infected: Trojan.Win32.Favadd.f
C:\WINDOWS1\hisistheurls.exe Infected: Trojan.Win32.Favadd.f
C:\WINDOWS1\msview\Ad-aware Professional.exe Infected: P2P-Worm.Win32.Tibick
C:\WINDOWS1\msview\Ad-aware.exe Infected: P2P-Worm.Win32.Tibick
C:\WINDOWS1\msview\ICQ 4.exe Infected: P2P-Worm.Win32.Tibick
C:\WINDOWS1\msview\Spybot - Search & Destroy.exe Infected: P2P-Worm.Win32.Tibick
C:\WINDOWS1\msview\WinZip.exe Infected: P2P-Worm.Win32.Tibick

Scan process completed.


Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:47:38 PM, on 9/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS1\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS1\Explorer.EXE
C:\WINDOWS1\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS1\System32\CTHELPER.EXE
C:\WINDOWS1\System32\ctfmon.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS1\System32\ssstars.scr
C:\WINDOWS1\System32\ssstars.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Agent\agent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jon.JON-8HX8MZ3KHTU\Desktop\HijackThis.exe

O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS1\UpdReg.EXE
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS1\System32\ctfmon.exe
O4 - HKCU\..\Run: [updatelavasoft] C:\WINDOWS1\System32\updatelavasoft.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0b\cstray.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS1\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125267220564
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127256435424
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://intercall.we...bex/ieatgpc.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS1\wanmpsvc.exe
  • 0

#12
tampabelle
Posted 23 September 2005 - 05:28 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Download DelDomains.inf.

Right click on it and let it merge with your registry.


Delete the following files -

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OfficeTools.hta
C:\My Shared Folder\Windows XP SP2 KeyGen.exe
C:\WINDOWS1\hisistheurls.exe
C:\WINDOWS1\msview\Ad-aware Professional.exe C:\WINDOWS1\msview\Ad-aware.exe
C:\WINDOWS1\msview\ICQ 4.exe
C:\WINDOWS1\msview\Spybot - Search & Destroy.exe
C:\WINDOWS1\msview\WinZip.exe


Reboot the PC and post a fresh HJT log.

Also let me know how your PC is behaving now !!!!
  • 0

#13
Jmg90300zx
Posted 23 September 2005 - 06:07 PM

Jmg90300zx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Not sure I understand how to merge that with the registry...
  • 0

#14
tampabelle
Posted 23 September 2005 - 07:21 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
My bad.

Here are the instructions for using Deldomains.inf :

Right Click on the file and then Click on Install.

Please proceed with the rest of the fix.
  • 0

#15
Jmg90300zx
Posted 24 September 2005 - 01:56 AM

Jmg90300zx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
I did right click on the file... and then clicked on install.. the icons on my screen appeared to refresh... that was it.

I deleted only a couple of the files that were listed in the fix.. the others werent there!

My computer seems to be working a lot better so far. Except my task bar now is back to classic style, and I wanna get it to look like XP style again.

Logfile of HijackThis v1.99.1
Scan saved at 1:04:46 AM, on 9/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS1\Explorer.EXE
C:\WINDOWS1\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS1\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS1\System32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS1\System32\ctfmon.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS1\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jon.JON-8HX8MZ3KHTU\Desktop\HijackThis.exe

O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS1\UpdReg.EXE
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS1\System32\ctfmon.exe
O4 - HKCU\..\Run: [updatelavasoft] C:\WINDOWS1\System32\updatelavasoft.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0b\cstray.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS1\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125267220564
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127256435424
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://intercall.we...bex/ieatgpc.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS1\wanmpsvc.exe

Edited by Jmg90300zx, 24 September 2005 - 02:06 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP