Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Suspected corrupted Registry [RESOLVED]

Started by Chris - Thecleancar , May 08 2006 04:58 AM

  • This topic is locked This topic is locked

#31
Chris - Thecleancar
Posted 14 May 2006 - 01:38 PM

Chris - Thecleancar

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 244 posts
Hello

Sorry for the delay I've been busy here too

I've 'Fix checked ' the 7 items in HJThis

Ran Killbox on the 2 items listed no problems Did not see this mesage "Click OK at any PendingFileRenameOperations prompt "

New HJThis log below

You asked how PC is running - well it seems to be ok but of course I'm not accessing the web at all at present
Still no reply from BT Yahoo

Thanks again Chris

Logfile of HijackThis v1.99.1
Scan saved at 20:27:06, on 14/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\YOP\secstat.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.c...ntr_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1146591326109
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

Advertisements

#32
RiP
Posted 14 May 2006 - 03:33 PM

RiP

    Malware Expert

  • Retired Staff
  • 8,430 posts
Hello, Chris - Thecleancar.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Please post back with a fresh HijackThis log.
  • 0

#33
Chris - Thecleancar
Posted 15 May 2006 - 02:49 AM

Chris - Thecleancar

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 244 posts
Hello

I've 'Fix checked' the 4 items

How are we doing - looks like when I connected to the web after you had cleaned the machine quite a number of problems reoccured

Below is latest HJThis log

Chris

Logfile of HijackThis v1.99.1
Scan saved at 09:38:31, on 15/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\YOP\secstat.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.c...ntr_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1146591326109
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

#34
RiP
Posted 16 May 2006 - 09:36 PM

RiP

    Malware Expert

  • Retired Staff
  • 8,430 posts
Hello, Chris - Thecleancar.

I'd like to see another WinPFind log, something seems to be stopping the malware from leaving.

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
  • 0

#35
Chris - Thecleancar
Posted 17 May 2006 - 02:33 AM

Chris - Thecleancar

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 244 posts
Hello

Nice to hear from you again looks like you are very busy judging by the list of New posts

I've run WinPFind in Safe mode and the log is below

My malware removal seems to be causing you problems - its nothing to do with the partly installed Norton/Symantec files is it - should I try to remove them in Add/Remove progs?

Chris

WINPFIND LOG

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 29/08/2002 13:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 29/08/2002 13:00:00 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 29/08/2002 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
17/05/2006 09:16:50 S 2048 C:\WINDOWS\bootstat.dat
02/05/2006 14:55:08 RH 749 C:\WINDOWS\WindowsShell.Manifest
08/05/2006 15:29:24 S 64 C:\WINDOWS\CSC\00000001
08/05/2006 12:22:12 S 64 C:\WINDOWS\CSC\00000002
02/05/2006 14:55:20 H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
02/05/2006 14:56:52 HS 67 C:\WINDOWS\Fonts\desktop.ini
02/05/2006 18:36:18 H 0 C:\WINDOWS\inf\oem3.inf
02/05/2006 14:55:20 H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
02/05/2006 14:56:08 RHS 727 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_1.cab
02/05/2006 14:56:08 RHS 19854 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_2.cab
02/05/2006 14:56:08 RHS 243124 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_3.cab
02/05/2006 14:57:58 H 233472 C:\WINDOWS\repair\ntuser.dat
02/05/2006 14:55:08 RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
02/05/2006 14:55:20 RH 488 C:\WINDOWS\system32\logonui.exe.manifest
02/05/2006 14:55:08 RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
02/05/2006 14:55:08 RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
02/05/2006 14:55:08 RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
02/05/2006 15:54:06 H 60928 C:\WINDOWS\system32\tatkuv.exe
02/05/2006 14:55:20 RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
02/05/2006 14:55:08 RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
17/05/2006 09:16:58 H 12288 C:\WINDOWS\system32\config\default.LOG
17/05/2006 09:17:14 H 1024 C:\WINDOWS\system32\config\SAM.LOG
17/05/2006 09:16:52 H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
17/05/2006 09:18:04 H 118784 C:\WINDOWS\system32\config\software.LOG
17/05/2006 09:16:52 H 700416 C:\WINDOWS\system32\config\system.LOG
02/05/2006 15:36:24 H 1024 C:\WINDOWS\system32\config\TempKey.LOG
02/05/2006 15:36:26 H 1024 C:\WINDOWS\system32\config\userdiff.LOG
02/05/2006 15:38:20 HS 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
02/05/2006 15:38:20 HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
02/05/2006 14:56:14 HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
02/05/2006 14:56:14 HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
02/05/2006 14:56:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
02/05/2006 14:56:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
02/05/2006 14:56:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0TY3WPUV\desktop.ini
02/05/2006 14:56:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4HEVGDU3\desktop.ini
02/05/2006 14:56:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ODUJOHIF\desktop.ini
02/05/2006 14:56:14 HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\S12NW12F\desktop.ini
02/05/2006 14:55:24 HS 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
02/05/2006 15:38:20 HS 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
02/05/2006 14:57:54 HS 206 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
02/05/2006 14:57:54 HS 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
02/05/2006 14:57:54 HS 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
02/05/2006 14:57:54 HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
02/05/2006 14:57:54 HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
02/05/2006 16:01:34 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\10f72a60-e7b1-44f8-b5c6-5ded380594c9
02/05/2006 16:01:34 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
02/05/2006 18:36:24 RHS 13698 C:\WINDOWS\system32\Restore\filelist.xml
17/05/2006 09:16:00 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 29/08/2002 13:00:00 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 29/08/2002 13:00:00 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 29/08/2002 13:00:00 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 29/08/2002 13:00:00 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 29/08/2002 13:00:00 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 29/08/2002 13:00:00 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 13:00:00 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 29/08/2002 13:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 29/08/2002 13:00:00 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 29/08/2002 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 29/08/2002 13:00:00 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 29/08/2002 13:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 29/08/2002 13:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 29/08/2002 13:00:00 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 29/08/2002 13:00:00 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 29/08/2002 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 29/08/2002 13:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 29/08/2002 13:00:00 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 29/08/2002 13:00:00 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 29/08/2002 13:00:00 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 29/08/2002 13:00:00 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 29/08/2002 13:00:00 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 29/08/2002 13:00:00 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29/08/2002 13:00:00 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 29/08/2002 13:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 29/08/2002 13:00:00 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 29/08/2002 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 29/08/2002 13:00:00 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 29/08/2002 13:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 29/08/2002 13:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 29/08/2002 13:00:00 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 29/08/2002 13:00:00 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 29/08/2002 13:00:00 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 29/08/2002 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 29/08/2002 13:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
02/05/2006 18:08:36 1789 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
02/05/2006 14:57:54 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
02/05/2006 15:38:20 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
02/05/2006 14:57:54 HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
02/05/2006 15:38:20 HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
YPC 3.2.0 = Yahoo! Parental Controls

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\Program Files\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Yahoo! Toolbar Helper = C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
ButtonText = BT Yahoo! Services :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
YOP C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
YBrowser C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\CTFMON.EXE

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 17/05/2006 09:23:06
  • 0

#36
RiP
Posted 17 May 2006 - 02:58 PM

RiP

    Malware Expert

  • Retired Staff
  • 8,430 posts
Hello, Chris - Thecleancar.

Nice to hear from you again looks like you are very busy judging by the list of New posts

Yeah, malware never seems to go away around here.

My malware removal seems to be causing you problems - its nothing to do with the partly installed Norton/Symantec files is it - should I try to remove them in Add/Remove progs?

Go ahead and try to remove them for now.

Run Killbox:
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\tatkuv.exe

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Reboot into Normal Mode.

Please do an online scan with Kaspersky WebScanner Please note: You MUST use Internet Explorer for this scan to work. )

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#37
Chris - Thecleancar
Posted 18 May 2006 - 01:53 AM

Chris - Thecleancar

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 244 posts
Hello

Judging from the new posts looks like the Malware problem is getting worse inspite of all the best efforts of G2G.

I would like to ask you this before I go ahead with the latest set of cleaning instructions.

I tried to Add/remove Norton/Symantec but this did not work so I ran the uninstall tool that BT Yahoo sent me this removed the BT Yahoo browser but left Norton/Symantec in Add /remove. I tried again to remove but with the same result.
The message I got both times was "Unable to find setup related files. A previous install or uninstall with this application might have been interupted and the setup cannot continue further. Please try running the setup from the original CD or other source location" and it gives a link to Symantec technical support.
I dont have a CD of course as this was a download/install.
The BT Yahoo online protection icon has however gone from the tray.
As my infected PC does not have a working Antivirus or a firewall would it be a good idea to install AVG antivirus and Zone alarm firewall.

Otherwise when I go to scan with Kaspersky I run the risk of further infections

I am really concerned that conecting to the web again is going to cause even more trouble

What do you think

Thanks again ( I may have to be away for a couple of days so expect a delayed response)

Chris
  • 0

#38
RiP
Posted 18 May 2006 - 05:35 PM

RiP

    Malware Expert

  • Retired Staff
  • 8,430 posts
Hello, Chris - Thecleancar.

Sometimes norton can really be a big pain to install/uninstall from your computer.

As my infected PC does not have a working Antivirus or a firewall would it be a good idea to install AVG antivirus and Zone alarm firewall.

Until you resolve your situation with norton, that's probably a good idea.

I am really concerned that conecting to the web again is going to cause even more trouble

What do you think

As long as you just go to trusted sites like Kaspersky, you should be fine. It would definitely help to install ZoneAlarm and AVG in the meantime though.
  • 0

#39
Chris - Thecleancar
Posted 19 May 2006 - 05:28 AM

Chris - Thecleancar

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 244 posts
Hello

I've installed AVG and ZoneAlarm and have updated them

I ran AVG an it found about 20 items and said it fixed them Sorry I dont have details of them all but MyBot was mentioned also some of the Killbox files were infected

I ran Killbox and received the "Click OK at any PendingFileRenameOperations prompt" message so I restarted manually

I cant get the Kaspersky site all I get is the usuall "Page cannot be displayed" message I am using I E 6.0

This message comes to you from the 'sick' PC a small step forward ?

Please advise

Chris
  • 0

#40
Chris - Thecleancar
Posted 19 May 2006 - 05:30 AM

Chris - Thecleancar

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 244 posts
Hello

Just received a flood of pop ups again will go back to other computer - can I stop these popup with a setting change

Chris
  • 0

Advertisements

#41
Chris - Thecleancar
Posted 19 May 2006 - 05:36 AM

Chris - Thecleancar

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 244 posts
Hello

Or can you suggest a popup blocker application

Chris
  • 0

#42
RiP
Posted 19 May 2006 - 07:23 AM

RiP

    Malware Expert

  • Retired Staff
  • 8,430 posts
Hello, Chris - Thecleancar.

Just received a flood of pop ups again will go back to other computer - can I stop these popup with a setting change

If it's malware that's causing them it's unlikely that will help, it sounds like you have a rootkit type infection on your computer. Can you please post a new HijackThis log as it has been a few days since the last one?
  • 0

#43
Chris - Thecleancar
Posted 19 May 2006 - 10:15 AM

Chris - Thecleancar

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 244 posts
Hi

What is a rootkit infection - just to try to keep in touch ( only a bit though :whistling: )

AVG is findiing and 'healing' Trojan horse infections in file like C:\mousepad17.exe or keyboard17.exe or newname17.exe - yhere are a number of apps like these in C:\

Here is latest HJThis log

Chris

Logfile of HijackThis v1.99.1
Scan saved at 17:05:14, on 19/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.c...ntr_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1146591326109
O17 - HKLM\System\CCS\Services\Tcpip\..\{008D792B-2BEC-420E-9197-E10F729B6B5E}: NameServer = 62.6.40.162 194.72.0.98
O17 - HKLM\System\CS1\Services\Tcpip\..\{008D792B-2BEC-420E-9197-E10F729B6B5E}: NameServer = 62.6.40.162 194.72.0.98
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#44
RiP
Posted 19 May 2006 - 03:35 PM

RiP

    Malware Expert

  • Retired Staff
  • 8,430 posts
Hello, Chris - Thecleancar.

A rootkit infection is one that hides so deep you need special programs to even know it exists, much less remove it. A good example of an attempt at one is the Sony BMG rootkit.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.gee.../aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
  • 0

#45
Chris - Thecleancar
Posted 20 May 2006 - 05:31 AM

Chris - Thecleancar

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 244 posts
Hello

Thanks for the info re 'rootkit infection' I did think it was something like that

I ran AproposFix in Safe mode and the log is below together with a new HJThis log

THANKS Chris

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\Administrator\Desktop\aproposfix

************



Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!


Logfile of HijackThis v1.99.1
Scan saved at 12:23:02, on 20/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.c...ntr_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1146591326109
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP